Sign-up

ID

VAR-201906-0733


CVE

CVE-2018-12147


TITLE

Intel Multiple vulnerabilities in the product

Trust: 0.8

sources: JVNDB: JVNDB-2018-007314

DESCRIPTION

Insufficient input validation in HECI subsystem in Intel(R) CSME before version 11.21.55, IntelĀ® Server Platform Services before version 4.0 and IntelĀ® Trusted Execution Engine Firmware before version 3.1.55 may allow a privileged user to potentially enable escalation of privileges via local access. Intel Has released an update for each product.The expected impact depends on each vulnerability, but can be affected as follows: * * information leak * * Service operation interruption (DoS) * * Privilege escalation * * Arbitrary code execution. Intel Converged Security and Management Engine (CSME), etc. are all products of American Intel Corporation. Intel Converged Security and Management Engine is a security management engine. Intel Server Platform Services (SPS) is a server platform service program. Intel Trusted Execution Engine is a trusted execution engine with hardware verification function in the CPU (Central Processing Unit). The vulnerability stems from the lack of effective permission permissions and access control measures for network systems or products. Attackers can use this vulnerability to elevate permissions. Multiple Intel Products are prone to a local privilege-escalation vulnerability. A local attacker can exploit this issue to gain elevated privileges

Trust: 2.52

sources: NVD: CVE-2018-12147 // JVNDB: JVNDB-2018-007314 // CNVD: CNVD-2020-18601 // BID: 108785 // VULHUB: VHN-122077

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-18601

AFFECTED PRODUCTS

vendor:intelmodel:converged security management enginescope:lteversion:11.11.50

Trust: 1.0

vendor:intelmodel:server platform servicesscope:ltversion:4.0

Trust: 1.0

vendor:intelmodel:converged security management enginescope:gteversion:11.10

Trust: 1.0

vendor:intelmodel:trusted execution enginescope:gteversion:3.0

Trust: 1.0

vendor:intelmodel:trusted execution enginescope:lteversion:3.1.50

Trust: 1.0

vendor:intelmodel:converged security management enginescope:gteversion:11.20

Trust: 1.0

vendor:intelmodel:converged security management enginescope:lteversion:11.21.51

Trust: 1.0

vendor:intelmodel:converged security management enginescope:lteversion:11.8.50

Trust: 1.0

vendor:intelmodel:converged security management enginescope:gteversion:11.0

Trust: 1.0

vendor:intelmodel:active management technologyscope: - version: -

Trust: 0.8

vendor:intelmodel:baseboard management controllerscope: - version: -

Trust: 0.8

vendor:intelmodel:computing improvement programscope: - version: -

Trust: 0.8

vendor:intelmodel:csmescope: - version: -

Trust: 0.8

vendor:intelmodel:data center manager sdkscope: - version: -

Trust: 0.8

vendor:intelmodel:driver and support assistantscope: - version: -

Trust: 0.8

vendor:intelmodel:extreme tuning utilityscope: - version: -

Trust: 0.8

vendor:intelmodel:nuc kit nuc7i7bnhscope: - version: -

Trust: 0.8

vendor:intelmodel:server platform servicesscope: - version: -

Trust: 0.8

vendor:intelmodel:software asset managerscope: - version: -

Trust: 0.8

vendor:intelmodel:trusted execution enginescope: - version: -

Trust: 0.8

vendor:intelmodel:openvino toolkitscope:eqversion:for windows

Trust: 0.8

vendor:intelmodel:power management controllerscope: - version: -

Trust: 0.8

vendor:intelmodel:csmescope:ltversion:11.21.55

Trust: 0.6

vendor:intelmodel:spsscope:ltversion:4.0

Trust: 0.6

vendor:intelmodel:trusted execution enginescope:eqversion:3.1.55

Trust: 0.6

vendor:intelmodel:trusted execution enginescope:eqversion:3.1.50

Trust: 0.3

vendor:intelmodel:trusted execution enginescope:eqversion:3.0

Trust: 0.3

vendor:intelmodel:server platform servicesscope:eqversion:4.0

Trust: 0.3

vendor:intelmodel:converged security management enginescope:eqversion:11.21.51

Trust: 0.3

vendor:intelmodel:converged security management enginescope:eqversion:11.11.50

Trust: 0.3

vendor:intelmodel:converged security management enginescope:eqversion:11.8.50

Trust: 0.3

vendor:intelmodel:converged security management enginescope:eqversion:11.20

Trust: 0.3

vendor:intelmodel:converged security management enginescope:eqversion:11.10

Trust: 0.3

vendor:intelmodel:converged security management enginescope:eqversion:11.0

Trust: 0.3

vendor:intelmodel:trusted execution enginescope:neversion:3.1.55

Trust: 0.3

vendor:intelmodel:server platform servicesscope:neversion:5.0

Trust: 0.3

vendor:intelmodel:converged security management enginescope:neversion:11.21.55

Trust: 0.3

vendor:intelmodel:converged security management enginescope:neversion:11.11.55

Trust: 0.3

vendor:intelmodel:converged security management enginescope:neversion:11.8.55

Trust: 0.3

sources: CNVD: CNVD-2020-18601 // BID: 108785 // JVNDB: JVNDB-2018-007314 // NVD: CVE-2018-12147

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-12147
value: MEDIUM

Trust: 1.0

CNVD: CNVD-2020-18601
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201906-563
value: MEDIUM

Trust: 0.6

VULHUB: VHN-122077
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2018-12147
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

CNVD: CNVD-2020-18601
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-122077
severity: HIGH
baseScore: 7.2
vectorString: AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-12147
baseSeverity: MEDIUM
baseScore: 6.7
vectorString: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 0.8
impactScore: 5.9
version: 3.0

Trust: 1.0

sources: CNVD: CNVD-2020-18601 // VULHUB: VHN-122077 // CNNVD: CNNVD-201906-563 // NVD: CVE-2018-12147

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.1

problemtype:CWE-264

Trust: 0.1

sources: VULHUB: VHN-122077 // NVD: CVE-2018-12147

THREAT TYPE

local

Trust: 0.9

sources: BID: 108785 // CNNVD: CNNVD-201906-563

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-201906-563

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-007314

PATCH
title:INTEL-SA-00149url:https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00149.html
Trust: 0.8
title:INTEL-SA-00162url:https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00162.html
Trust: 0.8
title:INTEL-SA-00165url:https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00165.html
Trust: 0.8
title:INTEL-SA-00172url:https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00172.html
Trust: 0.8
title:INTEL-SA-00176url:https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00176.html
Trust: 0.8
title:INTEL-SA-00125url:https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00125.html
Trust: 0.8
title:INTEL-SA-00131url:https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00131.html
Trust: 0.8
title:INTEL-SA-00141url:https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00141.html
Trust: 0.8
title:INTEL-SA-00143url:https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00143.html
Trust: 0.8
title:Patch for Intel Converged Security and Management Engine, Server Platform Services, and Trusted Execution Engine HECI subsystem permissions permission and access control issuesurl:https://www.cnvd.org.cn/patchInfo/show/210227
Trust: 0.6
title:Intel Converged Security and Management Engine , Server Platform Services  and Trusted Execution Engine Fixes for permissions and access control issues vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=93794
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-18601 // 
            
            
            
            JVNDB: JVNDB-2018-007314 // 
            
            
            
            CNNVD: CNNVD-201906-563

EXTERNAL IDS
db:NVDid:CVE-2018-12147
Trust: 3.4
db:JVNid:JVNVU99931791
Trust: 0.8
db:JVNDBid:JVNDB-2018-007314
Trust: 0.8
db:CNVDid:CNVD-2020-18601
Trust: 0.7
db:CNNVDid:CNNVD-201906-563
Trust: 0.7
db:BIDid:108785
Trust: 0.3
db:VULHUBid:VHN-122077
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2020-18601 // 
            
            
            
            VULHUB: VHN-122077 // 
            
            
            
            BID: 108785 // 
            
            
            
            JVNDB: JVNDB-2018-007314 // 
            
            
            
            CNNVD: CNNVD-201906-563 // 
            
            
            
            NVD: CVE-2018-12147

REFERENCES
url:https://nvd.nist.gov/vuln/detail/cve-2018-12147
Trust: 2.0
url:https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00125.html?wapkw=2018-12147
Trust: 1.6
url:https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00125.html
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-12147
Trust: 0.8
url:https://jvn.jp/vu/jvnvu99931791
Trust: 0.8
url:http://www.intel.com/
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2020-18601 // 
            
            
            
            VULHUB: VHN-122077 // 
            
            
            
            BID: 108785 // 
            
            
            
            JVNDB: JVNDB-2018-007314 // 
            
            
            
            CNNVD: CNNVD-201906-563 // 
            
            
            
            NVD: CVE-2018-12147

CREDITS
Intel employees and Maxim Goryachy from Positive Technologies.
Trust: 0.3
sources:
            
            
            BID: 108785

SOURCES
db:CNVDid:CNVD-2020-18601
db:VULHUBid:VHN-122077
db:BIDid:108785
db:JVNDBid:JVNDB-2018-007314
db:CNNVDid:CNNVD-201906-563
db:NVDid:CVE-2018-12147

LAST UPDATE DATE
2024-11-23T23:04:46.413000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2020-18601date:2020-03-22T00:00:00
db:VULHUBid:VHN-122077date:2020-08-24T00:00:00
db:BIDid:108785date:2018-07-09T00:00:00
db:JVNDBid:JVNDB-2018-007314date:2019-10-01T00:00:00
db:CNNVDid:CNNVD-201906-563date:2020-10-28T00:00:00
db:NVDid:CVE-2018-12147date:2024-11-21T03:44:39.373

SOURCES RELEASE DATE
db:CNVDid:CNVD-2020-18601date:2020-03-22T00:00:00
db:VULHUBid:VHN-122077date:2019-06-13T00:00:00
db:BIDid:108785date:2018-07-09T00:00:00
db:JVNDBid:JVNDB-2018-007314date:2018-09-13T00:00:00
db:CNNVDid:CNNVD-201906-563date:2019-06-13T00:00:00
db:NVDid:CVE-2018-12147date:2019-06-13T16:29:00.247