ID

VAR-201912-1819


CVE

CVE-2019-11104


TITLE

Intel(R) CSME and Intel(R) TXE Input validation vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-013675

DESCRIPTION

Insufficient input validation in MEInfo software for Intel(R) CSME before versions 11.8.70, 11.11.70, 11.22.70, 12.0.45, 13.0.10 and 14.0.10; Intel(R) TXE before versions 3.1.70 and 4.0.20 may allow an authenticated user to potentially enable escalation of privilege via local access. Intel(R) CSME and Intel(R) TXE Contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Both Intel Converged Security and Management Engine (CSME) and Intel TXE are products of Intel Corporation of the United States. Intel Converged Security and Management Engine is a security management engine. Intel TXE is a trusted execution engine with hardware authentication function used in CPU (Central Processing Unit). A security vulnerability exists in the MEInfo software in Intel CSME and Intel TXE due to insufficient input validation. A local attacker could exploit this vulnerability to elevate privileges. The following products and versions are affected: Intel CSME before 11.8.70, before 11.11.70, before 11.22.70, before 12.0.45, before 13.0.10, before 14.0.10; Intel TXE 3.1.70 Previous versions, versions before 4.0.20

Trust: 1.8

sources: NVD: CVE-2019-11104 // JVNDB: JVNDB-2019-013675 // VULHUB: VHN-142717 // VULMON: CVE-2019-11104

AFFECTED PRODUCTS

vendor:intelmodel:converged security management enginescope:ltversion:11.11.70

Trust: 1.8

vendor:intelmodel:converged security management enginescope:ltversion:11.22.70

Trust: 1.8

vendor:intelmodel:converged security management enginescope:ltversion:11.8.70

Trust: 1.8

vendor:intelmodel:converged security management enginescope:ltversion:12.0.45

Trust: 1.8

vendor:intelmodel:converged security management enginescope:ltversion:13.0.10

Trust: 1.8

vendor:intelmodel:converged security management enginescope:ltversion:14.0.10

Trust: 1.8

vendor:intelmodel:trusted execution enginescope:ltversion:3.1.70

Trust: 1.8

vendor:intelmodel:trusted execution enginescope:ltversion:4.0.20

Trust: 1.8

vendor:intelmodel:converged security management enginescope:gteversion:13.0

Trust: 1.0

vendor:intelmodel:converged security management enginescope:gteversion:11.10

Trust: 1.0

vendor:intelmodel:trusted execution enginescope:gteversion:3.0

Trust: 1.0

vendor:intelmodel:converged security management enginescope:gteversion:11.20

Trust: 1.0

vendor:intelmodel:trusted execution enginescope:gteversion:4.0

Trust: 1.0

vendor:intelmodel:converged security management enginescope:gteversion:11.0

Trust: 1.0

vendor:intelmodel:converged security management enginescope:gteversion:12.0

Trust: 1.0

vendor:intelmodel:converged security management enginescope:gteversion:14.0.0

Trust: 1.0

sources: JVNDB: JVNDB-2019-013675 // NVD: CVE-2019-11104

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-11104
value: HIGH

Trust: 1.0

NVD: CVE-2019-11104
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201911-680
value: HIGH

Trust: 0.6

VULHUB: VHN-142717
value: MEDIUM

Trust: 0.1

VULMON: CVE-2019-11104
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-11104
severity: MEDIUM
baseScore: 4.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-142717
severity: MEDIUM
baseScore: 4.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-11104
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2019-11104
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-142717 // VULMON: CVE-2019-11104 // JVNDB: JVNDB-2019-013675 // CNNVD: CNNVD-201911-680 // NVD: CVE-2019-11104

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.9

sources: VULHUB: VHN-142717 // JVNDB: JVNDB-2019-013675 // NVD: CVE-2019-11104

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201911-680

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-201911-680

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-013675

PATCH

title:INTEL-SA-00241url:https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00241.html

Trust: 0.8

title:Intel TXE and Intel Converged Security and Management Engine Enter the fix for the verification error vulnerabilityurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=106330

Trust: 0.6

title:HP: HPSBHF03637 rev. 1 - Intel 2019.2 IPU CSME SPS TXE AMT Security Updatesurl:https://vulmon.com/vendoradvisory?qidtp=hp_bulletin&qid=HPSBHF03637

Trust: 0.1

title:Threatposturl:https://threatpost.com/intel-critical-info-disclosure-bug-security-engine/150124/

Trust: 0.1

sources: VULMON: CVE-2019-11104 // JVNDB: JVNDB-2019-013675 // CNNVD: CNNVD-201911-680

EXTERNAL IDS

db:NVDid:CVE-2019-11104

Trust: 2.6

db:JVNid:JVNVU90354904

Trust: 0.8

db:JVNDBid:JVNDB-2019-013675

Trust: 0.8

db:CNNVDid:CNNVD-201911-680

Trust: 0.7

db:LENOVOid:LEN-27716

Trust: 0.6

db:AUSCERTid:ESB-2020.2344

Trust: 0.6

db:CNVDid:CNVD-2020-18615

Trust: 0.1

db:VULHUBid:VHN-142717

Trust: 0.1

db:VULMONid:CVE-2019-11104

Trust: 0.1

sources: VULHUB: VHN-142717 // VULMON: CVE-2019-11104 // JVNDB: JVNDB-2019-013675 // CNNVD: CNNVD-201911-680 // NVD: CVE-2019-11104

REFERENCES

url:https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00241.html

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2019-11104

Trust: 1.4

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-11104

Trust: 0.8

url:https://jvn.jp/vu/jvnvu90354904/

Trust: 0.8

url:https://vigilance.fr/vulnerability/intel-csme-amt-dal-sps-txe-multiple-vulnerabilities-31014

Trust: 0.6

url:https://support.lenovo.com/us/en/product_security/len-27716

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.2344/

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/20.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://threatpost.com/intel-critical-info-disclosure-bug-security-engine/150124/

Trust: 0.1

url:https://support.hp.com/us-en/document/c06501966

Trust: 0.1

sources: VULHUB: VHN-142717 // VULMON: CVE-2019-11104 // JVNDB: JVNDB-2019-013675 // CNNVD: CNNVD-201911-680 // NVD: CVE-2019-11104

SOURCES

db:VULHUBid:VHN-142717
db:VULMONid:CVE-2019-11104
db:JVNDBid:JVNDB-2019-013675
db:CNNVDid:CNNVD-201911-680
db:NVDid:CVE-2019-11104

LAST UPDATE DATE

2024-11-23T20:47:01.300000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-142717date:2020-01-02T00:00:00
db:VULMONid:CVE-2019-11104date:2020-01-02T00:00:00
db:JVNDBid:JVNDB-2019-013675date:2020-01-14T00:00:00
db:CNNVDid:CNNVD-201911-680date:2020-07-10T00:00:00
db:NVDid:CVE-2019-11104date:2024-11-21T04:20:32.660

SOURCES RELEASE DATE

db:VULHUBid:VHN-142717date:2019-12-18T00:00:00
db:VULMONid:CVE-2019-11104date:2019-12-18T00:00:00
db:JVNDBid:JVNDB-2019-013675date:2020-01-14T00:00:00
db:CNNVDid:CNNVD-201911-680date:2019-11-12T00:00:00
db:NVDid:CVE-2019-11104date:2019-12-18T22:15:12.723