Details of VAR-201706-0438

ID

VAR-201706-0438

CVE

CVE-2017-5697

TITLE

Intel AMT firmware Web User Interface Vulnerability that allows user's web click operations to be hijacked in

Trust: 0.8

sources: JVNDB: JVNDB-2017-004925

DESCRIPTION

Insufficient clickjacking protection in the Web User Interface of Intel AMT firmware versions before 9.1.40.1000, 9.5.60.1952, 10.0.50.1004, 11.0.0.1205, and 11.6.25.1129 potentially allowing a remote attacker to hijack users web clicks via attacker's crafted web page. Intel Active Management Technology is prone to a clickjacking vulnerability. Successfully exploiting this issue may allow attackers to gain unauthorized access to the affected application or obtain sensitive information. Other attacks are also possible. Intel Active Management Technology firmware versions before 9.1.40.100, 9.5.60.1952, 10.0.0.50.1004 and 11.0.0.1205 are vulnerable. Web User Interface is one of the Web management interfaces. The following versions are affected: Intel AMT firmware prior to 9.1.40.1000, prior to 9.5.60.1952, prior to 10.0.50.1004, prior to 11.0.0.1205, prior to 11.6.25.1129

Trust: 1.98

sources: NVD: CVE-2017-5697 // JVNDB: JVNDB-2017-004925 // BID: 99064 // VULHUB: VHN-113900

AFFECTED PRODUCTS

vendor:	intel	model:	active management technology	scope:	lt	version:	11.6.25.1129	Trust: 1.0
vendor:	intel	model:	active management technology	scope:	gte	version:	11.0	Trust: 1.0
vendor:	intel	model:	active management technology	scope:	lt	version:	9.5.60.1952	Trust: 1.0
vendor:	intel	model:	active management technology	scope:	gte	version:	9.1	Trust: 1.0
vendor:	intel	model:	active management technology	scope:	lt	version:	10.0.50.1004	Trust: 1.0
vendor:	intel	model:	active management technology	scope:	gte	version:	11.6	Trust: 1.0
vendor:	intel	model:	active management technology	scope:	gte	version:	10.0	Trust: 1.0
vendor:	intel	model:	active management technology	scope:	gte	version:	9.5	Trust: 1.0
vendor:	intel	model:	active management technology	scope:	lt	version:	11.0.0.1205	Trust: 1.0
vendor:	intel	model:	active management technology	scope:	lt	version:	9.1.40.1000	Trust: 1.0
vendor:	intel	model:	active management technology	scope:	eq	version:	9.5	Trust: 0.9
vendor:	intel	model:	active management technology	scope:	eq	version:	9.1	Trust: 0.9
vendor:	intel	model:	active management technology	scope:	eq	version:	11.0	Trust: 0.9
vendor:	intel	model:	active management technology	scope:	eq	version:	10.0	Trust: 0.9
vendor:	インテル	model:	intel active management technology	scope:	-	version:	-	Trust: 0.8
vendor:	インテル	model:	intel active management technology	scope:	eq	version:	-	Trust: 0.8
vendor:	インテル	model:	intel active management technology	scope:	eq	version:	intel active management technology firmware	Trust: 0.8
vendor:	intel	model:	active management technology	scope:	eq	version:	11.6	Trust: 0.6
vendor:	intel	model:	active management technology	scope:	ne	version:	9.5.60.1952	Trust: 0.3
vendor:	intel	model:	active management technology	scope:	ne	version:	9.1.40.100	Trust: 0.3
vendor:	intel	model:	active management technology	scope:	ne	version:	11.0.0.1205	Trust: 0.3
vendor:	intel	model:	active management technology	scope:	ne	version:	10.0.0.50.1004	Trust: 0.3

sources: BID: 99064 // JVNDB: JVNDB-2017-004925 // CNNVD: CNNVD-201706-608 // NVD: CVE-2017-5697

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-5697
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-5697
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201706-608
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-113900
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-5697
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-113900
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-5697
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2017-5697
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-113900 // JVNDB: JVNDB-2017-004925 // CNNVD: CNNVD-201706-608 // NVD: CVE-2017-5697

PROBLEMTYPE DATA

problemtype:	CWE-1021	Trust: 1.0
problemtype:	Improper restrictions on rendered user interface layers or frames (CWE-1021) [NVD evaluation ]	Trust: 0.8
problemtype:	CWE-20	Trust: 0.1

sources: VULHUB: VHN-113900 // JVNDB: JVNDB-2017-004925 // NVD: CVE-2017-5697

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201706-608

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-201706-608

PATCH

title:	INTEL-SA-00081	url:	https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00081&languageid=en-fr	Trust: 0.8
title:	Intel AMT firmware Enter the fix for the verification vulnerability	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=71495	Trust: 0.6

sources: JVNDB: JVNDB-2017-004925 // CNNVD: CNNVD-201706-608

EXTERNAL IDS

db:	NVD	id:	CVE-2017-5697	Trust: 3.6
db:	JVNDB	id:	JVNDB-2017-004925	Trust: 0.8
db:	CNNVD	id:	CNNVD-201706-608	Trust: 0.7
db:	BID	id:	99064	Trust: 0.4
db:	VULHUB	id:	VHN-113900	Trust: 0.1

sources: VULHUB: VHN-113900 // BID: 99064 // JVNDB: JVNDB-2017-004925 // CNNVD: CNNVD-201706-608 // NVD: CVE-2017-5697

REFERENCES

url:	https://security-center.intel.com/advisory.aspx?intelid=intel-sa-00081&languageid=en-fr	Trust: 1.9
url:	https://nvd.nist.gov/vuln/detail/cve-2017-5697	Trust: 0.8
url:	http://www.intel.com/	Trust: 0.3
url:	https://security-center.intel.com/advisory.aspx?intelid=intel-sa-00081&languageid=en-fr	Trust: 0.1

sources: VULHUB: VHN-113900 // BID: 99064 // JVNDB: JVNDB-2017-004925 // CNNVD: CNNVD-201706-608 // NVD: CVE-2017-5697

CREDITS

Lenovo

Trust: 0.3

sources: BID: 99064

SOURCES

db:	VULHUB	id:	VHN-113900
db:	BID	id:	99064
db:	JVNDB	id:	JVNDB-2017-004925
db:	CNNVD	id:	CNNVD-201706-608
db:	NVD	id:	CVE-2017-5697

LAST UPDATE DATE

2024-11-23T23:05:25.746000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-113900	date:	2017-06-27T00:00:00
db:	BID	id:	99064	date:	2017-06-05T00:00:00
db:	JVNDB	id:	JVNDB-2017-004925	date:	2024-02-26T01:30:00
db:	CNNVD	id:	CNNVD-201706-608	date:	2017-07-14T00:00:00
db:	NVD	id:	CVE-2017-5697	date:	2024-11-21T03:28:14.573

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-113900	date:	2017-06-14T00:00:00
db:	BID	id:	99064	date:	2017-06-05T00:00:00
db:	JVNDB	id:	JVNDB-2017-004925	date:	2017-07-11T00:00:00
db:	CNNVD	id:	CNNVD-201706-608	date:	2017-06-14T00:00:00
db:	NVD	id:	CVE-2017-5697	date:	2017-06-14T12:29:00.177