PT-2020-4743 · Intel · Intel Txe+1

Published

2020-11-10

·

Updated

2020-11-24

·

CVE-2020-12303

CVSS v3.1

7.8

High

VectorAV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions: Intel CSME versions prior to 11.8.80 Intel CSME versions prior to 11.12.80 Intel CSME versions prior to 11.22.80 Intel CSME versions prior to 12.0.70 Intel CSME versions prior to 13.0.40 Intel CSME versions prior to 13.30.10 Intel CSME versions prior to 14.0.45 Intel CSME versions prior to 14.5.25 Intel TXE version 3.1.80 Intel TXE version 4.0.30
Description: The issue is related to a use after free vulnerability in the DAL subsystem of Intel Converged Security and Manageability Engine (CSME) and Intel Trusted Execution Engine (TXE) firmware. This vulnerability can be exploited to potentially enable escalation of privileges via local access by an authenticated user.
Recommendations: For Intel CSME versions prior to 11.8.80, update to version 11.8.80 or later. For Intel CSME versions prior to 11.12.80, update to version 11.12.80 or later. For Intel CSME versions prior to 11.22.80, update to version 11.22.80 or later. For Intel CSME versions prior to 12.0.70, update to version 12.0.70 or later. For Intel CSME versions prior to 13.0.40, update to version 13.0.40 or later. For Intel CSME versions prior to 13.30.10, update to version 13.30.10 or later. For Intel CSME versions prior to 14.0.45, update to version 14.0.45 or later. For Intel CSME versions prior to 14.5.25, update to version 14.5.25 or later. For Intel TXE version 3.1.80, update to a version later than 3.1.80. For Intel TXE version 4.0.30, update to a version later than 4.0.30.

Fix

Use After Free

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-416

Related Identifiers

BDU:2020-05295
CVE-2020-12303

Affected Products

Intel Csme
Intel Txe