Sign-up

ID

VAR-201912-1819


CVE

CVE-2019-11104


TITLE

Intel(R) CSME and Intel(R) TXE Input validation vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-013675

DESCRIPTION

Insufficient input validation in MEInfo software for Intel(R) CSME before versions 11.8.70, 11.11.70, 11.22.70, 12.0.45, 13.0.10 and 14.0.10; Intel(R) TXE before versions 3.1.70 and 4.0.20 may allow an authenticated user to potentially enable escalation of privilege via local access. Intel(R) CSME and Intel(R) TXE Contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Both Intel Converged Security and Management Engine (CSME) and Intel TXE are products of Intel Corporation of the United States. Intel Converged Security and Management Engine is a security management engine. Intel TXE is a trusted execution engine with hardware authentication function used in CPU (Central Processing Unit). A security vulnerability exists in the MEInfo software in Intel CSME and Intel TXE due to insufficient input validation. A local attacker could exploit this vulnerability to elevate privileges. The following products and versions are affected: Intel CSME before 11.8.70, before 11.11.70, before 11.22.70, before 12.0.45, before 13.0.10, before 14.0.10; Intel TXE 3.1.70 Previous versions, versions before 4.0.20

Trust: 1.8

sources: NVD: CVE-2019-11104 // JVNDB: JVNDB-2019-013675 // VULHUB: VHN-142717 // VULMON: CVE-2019-11104

AFFECTED PRODUCTS

vendor:intelmodel:converged security management enginescope:ltversion:11.11.70

Trust: 1.8

vendor:intelmodel:converged security management enginescope:ltversion:11.22.70

Trust: 1.8

vendor:intelmodel:converged security management enginescope:ltversion:11.8.70

Trust: 1.8

vendor:intelmodel:converged security management enginescope:ltversion:12.0.45

Trust: 1.8

vendor:intelmodel:converged security management enginescope:ltversion:13.0.10

Trust: 1.8

vendor:intelmodel:converged security management enginescope:ltversion:14.0.10

Trust: 1.8

vendor:intelmodel:trusted execution enginescope:ltversion:3.1.70

Trust: 1.8

vendor:intelmodel:trusted execution enginescope:ltversion:4.0.20

Trust: 1.8

vendor:intelmodel:trusted execution enginescope:gteversion:4.0

Trust: 1.0

vendor:intelmodel:converged security management enginescope:gteversion:11.0

Trust: 1.0

vendor:intelmodel:converged security management enginescope:gteversion:14.0.0

Trust: 1.0

vendor:intelmodel:converged security management enginescope:gteversion:11.20

Trust: 1.0

vendor:intelmodel:converged security management enginescope:gteversion:13.0

Trust: 1.0

vendor:intelmodel:trusted execution enginescope:gteversion:3.0

Trust: 1.0

vendor:intelmodel:converged security management enginescope:gteversion:12.0

Trust: 1.0

vendor:intelmodel:converged security management enginescope:gteversion:11.10

Trust: 1.0

sources: JVNDB: JVNDB-2019-013675 // NVD: CVE-2019-11104

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-11104
value: HIGH

Trust: 1.0

NVD: CVE-2019-11104
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201911-680
value: HIGH

Trust: 0.6

VULHUB: VHN-142717
value: MEDIUM

Trust: 0.1

VULMON: CVE-2019-11104
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-11104
severity: MEDIUM
baseScore: 4.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-142717
severity: MEDIUM
baseScore: 4.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-11104
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2019-11104
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-142717 // VULMON: CVE-2019-11104 // JVNDB: JVNDB-2019-013675 // CNNVD: CNNVD-201911-680 // NVD: CVE-2019-11104

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.9

sources: VULHUB: VHN-142717 // JVNDB: JVNDB-2019-013675 // NVD: CVE-2019-11104

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201911-680

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-201911-680

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-013675

PATCH
title:INTEL-SA-00241url:https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00241.html
Trust: 0.8
title:Intel TXE  and Intel Converged Security and Management Engine Enter the fix for the verification error vulnerabilityurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=106330
Trust: 0.6
title:HP: HPSBHF03637 rev. 1  -  Intel 2019.2 IPU CSME SPS TXE AMT Security Updatesurl:https://vulmon.com/vendoradvisory?qidtp=hp_bulletin&qid=HPSBHF03637
Trust: 0.1
title:Threatposturl:https://threatpost.com/intel-critical-info-disclosure-bug-security-engine/150124/
Trust: 0.1
sources:
            
            
            VULMON: CVE-2019-11104 // 
            
            
            
            JVNDB: JVNDB-2019-013675 // 
            
            
            
            CNNVD: CNNVD-201911-680

EXTERNAL IDS
db:NVDid:CVE-2019-11104
Trust: 2.6
db:JVNid:JVNVU90354904
Trust: 0.8
db:JVNDBid:JVNDB-2019-013675
Trust: 0.8
db:CNNVDid:CNNVD-201911-680
Trust: 0.7
db:LENOVOid:LEN-27716
Trust: 0.6
db:AUSCERTid:ESB-2020.2344
Trust: 0.6
db:CNVDid:CNVD-2020-18615
Trust: 0.1
db:VULHUBid:VHN-142717
Trust: 0.1
db:VULMONid:CVE-2019-11104
Trust: 0.1
sources:
            
            
            VULHUB: VHN-142717 // 
            
            
            
            VULMON: CVE-2019-11104 // 
            
            
            
            JVNDB: JVNDB-2019-013675 // 
            
            
            
            CNNVD: CNNVD-201911-680 // 
            
            
            
            NVD: CVE-2019-11104

REFERENCES
url:https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00241.html
Trust: 1.8
url:https://nvd.nist.gov/vuln/detail/cve-2019-11104
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-11104
Trust: 0.8
url:https://jvn.jp/vu/jvnvu90354904/
Trust: 0.8
url:https://vigilance.fr/vulnerability/intel-csme-amt-dal-sps-txe-multiple-vulnerabilities-31014
Trust: 0.6
url:https://support.lenovo.com/us/en/product_security/len-27716
Trust: 0.6
url:https://www.auscert.org.au/bulletins/esb-2020.2344/
Trust: 0.6
url:https://cwe.mitre.org/data/definitions/20.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://threatpost.com/intel-critical-info-disclosure-bug-security-engine/150124/
Trust: 0.1
url:https://support.hp.com/us-en/document/c06501966
Trust: 0.1
sources:
            
            
            VULHUB: VHN-142717 // 
            
            
            
            VULMON: CVE-2019-11104 // 
            
            
            
            JVNDB: JVNDB-2019-013675 // 
            
            
            
            CNNVD: CNNVD-201911-680 // 
            
            
            
            NVD: CVE-2019-11104

SOURCES
db:VULHUBid:VHN-142717
db:VULMONid:CVE-2019-11104
db:JVNDBid:JVNDB-2019-013675
db:CNNVDid:CNNVD-201911-680
db:NVDid:CVE-2019-11104

LAST UPDATE DATE
2024-08-14T12:09:37.399000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-142717date:2020-01-02T00:00:00
db:VULMONid:CVE-2019-11104date:2020-01-02T00:00:00
db:JVNDBid:JVNDB-2019-013675date:2020-01-14T00:00:00
db:CNNVDid:CNNVD-201911-680date:2020-07-10T00:00:00
db:NVDid:CVE-2019-11104date:2020-01-02T16:19:48.760

SOURCES RELEASE DATE
db:VULHUBid:VHN-142717date:2019-12-18T00:00:00
db:VULMONid:CVE-2019-11104date:2019-12-18T00:00:00
db:JVNDBid:JVNDB-2019-013675date:2020-01-14T00:00:00
db:CNNVDid:CNNVD-201911-680date:2019-11-12T00:00:00
db:NVDid:CVE-2019-11104date:2019-12-18T22:15:12.723