Details of VAR-201903-0976

ID

VAR-201903-0976

CVE

CVE-2018-12191

TITLE

Intel Multiple vulnerabilities in the product

Trust: 0.8

sources: JVNDB: JVNDB-2019-001582

DESCRIPTION

Bounds check in Kernel subsystem in Intel CSME before version 11.8.60, 11.11.60, 11.22.60 or 12.0.20, or Intel(R) Server Platform Services before versions 4.00.04.383 or SPS 4.01.02.174, or Intel(R) TXE before versions 3.1.60 or 4.0.10 may allow an unauthenticated user to potentially execute arbitrary code via physical access. Intel Has released an update for each product.The expected impact depends on each vulnerability, but can be affected as follows: * information leak * Service operation interruption (DoS) * Privilege escalation. Intel(R) CSME , Server Platform Services , TXE Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Intel Converged Security and Management Engine (CSME) and others are products of Intel Corporation of the United States. Intel Converged Security and Management Engine is a security management engine. Intel Server Platform Services is a server platform service program. Intel TXE is a trusted execution engine with hardware authentication function used in CPU (Central Processing Unit). Kernel subsystem is one of the kernel subsystems. Security vulnerabilities exist in the Kernel subsystem in Intel CSME, Intel Server Platform Services, and Intel TXE. An attacker in physical proximity could exploit this vulnerability to execute arbitrary code. The following products and versions are affected: Intel CSME prior to 11.8.60, prior to 11.11.60, prior to 11.22.60, prior to 12.0.20; Intel Server Platform Services prior to 4.00.04.383, prior to 4.01.02.174; Intel TXE version before 3.1.60, version before 4.0.10

Trust: 2.52

sources: NVD: CVE-2018-12191 // JVNDB: JVNDB-2019-001582 // JVNDB: JVNDB-2018-014781 // VULHUB: VHN-122126 // VULMON: CVE-2018-12191

AFFECTED PRODUCTS

vendor:	intel	model:	converged security management engine	scope:	lt	version:	11.11.60	Trust: 1.8
vendor:	intel	model:	converged security management engine	scope:	lt	version:	11.22.60	Trust: 1.8
vendor:	intel	model:	converged security management engine	scope:	lt	version:	11.8.60	Trust: 1.8
vendor:	intel	model:	converged security management engine	scope:	lt	version:	12.0.20	Trust: 1.8
vendor:	intel	model:	server platform services	scope:	lt	version:	4.00.04.383	Trust: 1.8
vendor:	intel	model:	trusted execution engine	scope:	lt	version:	3.1.60	Trust: 1.8
vendor:	intel	model:	trusted execution engine	scope:	lt	version:	4.0.10	Trust: 1.8
vendor:	intel	model:	server platform services	scope:	gte	version:	4.01.00.152.0	Trust: 1.0
vendor:	intel	model:	converged security management engine	scope:	gte	version:	11.10	Trust: 1.0
vendor:	intel	model:	trusted execution engine	scope:	gte	version:	3.0	Trust: 1.0
vendor:	intel	model:	server platform services	scope:	lt	version:	4.01.02.174	Trust: 1.0
vendor:	intel	model:	converged security management engine	scope:	gte	version:	11.20	Trust: 1.0
vendor:	intel	model:	trusted execution engine	scope:	gte	version:	4.0	Trust: 1.0
vendor:	intel	model:	converged security management engine	scope:	gte	version:	12.0.0	Trust: 1.0
vendor:	intel	model:	converged security management engine	scope:	gte	version:	11.0	Trust: 1.0
vendor:	intel	model:	server platform services	scope:	gte	version:	4.00.04.367	Trust: 1.0
vendor:	intel	model:	accelerated storage manager	scope:	-	version:	-	Trust: 0.8
vendor:	intel	model:	active management technology	scope:	-	version:	-	Trust: 0.8
vendor:	intel	model:	csme	scope:	-	version:	-	Trust: 0.8
vendor:	intel	model:	matrix storage manager	scope:	-	version:	-	Trust: 0.8
vendor:	intel	model:	server platform services	scope:	-	version:	-	Trust: 0.8
vendor:	intel	model:	sgx sdk	scope:	-	version:	-	Trust: 0.8
vendor:	intel	model:	trusted execution engine	scope:	-	version:	-	Trust: 0.8
vendor:	intel	model:	usb 3.0 creator utility	scope:	-	version:	-	Trust: 0.8
vendor:	intel	model:	intel	scope:	-	version:	-	Trust: 0.8
vendor:	intel	model:	graphics driver	scope:	eq	version:	for windows	Trust: 0.8
vendor:	intel	model:	server platform services	scope:	lt	version:	sps 4.01.02.174	Trust: 0.8

sources: JVNDB: JVNDB-2019-001582 // JVNDB: JVNDB-2018-014781 // NVD: CVE-2018-12191

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-12191
value:	HIGH
Trust: 1.0
NVD:	CVE-2018-12191
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201903-565
value:	HIGH
Trust: 0.6
VULHUB:	VHN-122126
value:	HIGH
Trust: 0.1
VULMON:	CVE-2018-12191
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2018-12191
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-122126
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-12191
baseSeverity:	HIGH
baseScore:	7.6
vectorString:	CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
attackVector:	PHYSICAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	0.9
impactScore:	6.0
version:	3.1
Trust: 1.0
NVD:	CVE-2018-12191
baseSeverity:	HIGH
baseScore:	7.6
vectorString:	CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
attackVector:	PHYSICAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-122126 // VULMON: CVE-2018-12191 // JVNDB: JVNDB-2018-014781 // CNNVD: CNNVD-201903-565 // NVD: CVE-2018-12191

PROBLEMTYPE DATA

problemtype:	CWE-119	Trust: 1.1
problemtype:	CWE-264	Trust: 0.9

sources: VULHUB: VHN-122126 // JVNDB: JVNDB-2018-014781 // NVD: CVE-2018-12191

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-201903-565

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-001582

PATCH

title:	INTEL-SA-00231 - Intel Accelerated Storage Manager in RSTe Advisory	url:	https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00231.html	Trust: 0.8
title:	INTEL-SA-00185 - Intel CSME, Server Platform Services, Trusted Execution Engine and Intel Active Management Technology 2018.4 QSR Advisory	url:	https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00185.html	Trust: 0.8
title:	INTEL-SA-00189 - Intel Graphics Driver for Windows* 2018.4 QSR Advisory	url:	https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00189.html	Trust: 0.8
title:	INTEL-SA-00191 - Intel Firmware 2018.4 QSR Advisory	url:	https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00191.html	Trust: 0.8
title:	INTEL-SA-00216 - Intel Matrix Storage Manager Advisory	url:	https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00216.html	Trust: 0.8
title:	INTEL-SA-00217 - Intel Software Guard Extensions SDK Advisory	url:	https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00217.html	Trust: 0.8
title:	INTEL-SA-00229 - Intel USB 3.0 Creator Utility Advisory	url:	https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00229.html	Trust: 0.8
title:	INTEL-SA-00185	url:	https://www.intel.com/content/www/us/en/security-center/advisory/INTEL-SA-00185.html	Trust: 0.8
title:	Intel Converged Security and Management Engine , Intel Server Platform Services and Intel TXE Kernel Subsystem security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=90152	Trust: 0.6
title:	HP: HPSBHF03607 rev. 1 - Intel CSME, Trusted Execution Engine (TXE), Active Management Technology (AMT) Security Updates	url:	https://vulmon.com/vendoradvisory?qidtp=hp_bulletin&qid=HPSBHF03607	Trust: 0.1
title:	HP: SUPPORT COMMUNICATION- SECURITY BULLETIN HPSBHF03607 rev. 3 - Intel CSME, Trusted Execution Engine (TXE), Active Management Technology (AMT) Security Updates	url:	https://vulmon.com/vendoradvisory?qidtp=hp_bulletin&qid=51d2d28b63e152f4f552c812febc508a	Trust: 0.1
title:	HP: SUPPORT COMMUNICATION- SECURITY BULLETIN HPSBHF03607 rev. 3 - Intel CSME, Trusted Execution Engine (TXE), Active Management Technology (AMT) Security Updates	url:	https://vulmon.com/vendoradvisory?qidtp=hp_bulletin&qid=405f211acdb0c121daea18202369840e	Trust: 0.1
title:	Threatpost	url:	https://threatpost.com/lenovo-patches-high-severity-arbitrary-code-execution-flaws/142860/	Trust: 0.1

sources: VULMON: CVE-2018-12191 // JVNDB: JVNDB-2019-001582 // JVNDB: JVNDB-2018-014781 // CNNVD: CNNVD-201903-565

EXTERNAL IDS

db:	NVD	id:	CVE-2018-12191	Trust: 2.6
db:	JVN	id:	JVNVU98344681	Trust: 1.6
db:	JVNDB	id:	JVNDB-2019-001582	Trust: 1.6
db:	JVNDB	id:	JVNDB-2018-014781	Trust: 0.8
db:	CNNVD	id:	CNNVD-201903-565	Trust: 0.7
db:	LENOVO	id:	LEN-25083	Trust: 0.6
db:	CNVD	id:	CNVD-2020-18573	Trust: 0.1
db:	VULHUB	id:	VHN-122126	Trust: 0.1
db:	VULMON	id:	CVE-2018-12191	Trust: 0.1

sources: VULHUB: VHN-122126 // VULMON: CVE-2018-12191 // JVNDB: JVNDB-2019-001582 // JVNDB: JVNDB-2018-014781 // CNNVD: CNNVD-201903-565 // NVD: CVE-2018-12191

REFERENCES

url:	https://security.netapp.com/advisory/ntap-20190318-0001/	Trust: 1.8
url:	https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00185.html	Trust: 1.8
url:	https://support.hpe.com/hpsc/doc/public/display?doclocale=en_us&docid=emr_na-hpesbhf03914en_us	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2018-12191	Trust: 1.4
url:	https://jvn.jp/vu/jvnvu98344681	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-12191	Trust: 0.8
url:	https://jvn.jp/vu/jvnvu98344681/	Trust: 0.8
url:	https://jvndb.jvn.jp/ja/contents/2019/jvndb-2019-001582.html	Trust: 0.8
url:	https://support.lenovo.com/us/en/solutions/len-25083	Trust: 0.6
url:	https://support.hpe.com/hpsc/doc/public/display?doclocale=en_us&docid=emr_na-hpesbhf03914en_us	Trust: 0.1
url:	https://cwe.mitre.org/data/definitions/119.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://support.hp.com/us-en/document/c06263668	Trust: 0.1
url:	https://threatpost.com/lenovo-patches-high-severity-arbitrary-code-execution-flaws/142860/	Trust: 0.1

sources: VULHUB: VHN-122126 // VULMON: CVE-2018-12191 // JVNDB: JVNDB-2019-001582 // JVNDB: JVNDB-2018-014781 // CNNVD: CNNVD-201903-565 // NVD: CVE-2018-12191

SOURCES

db:	VULHUB	id:	VHN-122126
db:	VULMON	id:	CVE-2018-12191
db:	JVNDB	id:	JVNDB-2019-001582
db:	JVNDB	id:	JVNDB-2018-014781
db:	CNNVD	id:	CNNVD-201903-565
db:	NVD	id:	CVE-2018-12191

LAST UPDATE DATE

2024-11-23T20:41:42.065000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-122126	date:	2020-09-10T00:00:00
db:	VULMON	id:	CVE-2018-12191	date:	2020-09-10T00:00:00
db:	JVNDB	id:	JVNDB-2019-001582	date:	2019-03-15T00:00:00
db:	JVNDB	id:	JVNDB-2018-014781	date:	2019-04-10T00:00:00
db:	CNNVD	id:	CNNVD-201903-565	date:	2019-10-08T00:00:00
db:	NVD	id:	CVE-2018-12191	date:	2024-11-21T03:44:43.640

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-122126	date:	2019-03-14T00:00:00
db:	VULMON	id:	CVE-2018-12191	date:	2019-03-14T00:00:00
db:	JVNDB	id:	JVNDB-2019-001582	date:	2019-03-15T00:00:00
db:	JVNDB	id:	JVNDB-2018-014781	date:	2019-04-10T00:00:00
db:	CNNVD	id:	CNNVD-201903-565	date:	2019-03-14T00:00:00
db:	NVD	id:	CVE-2018-12191	date:	2019-03-14T20:29:00.460