Details of VAR-202011-0621

ID

VAR-202011-0621

CVE

CVE-2020-24525

TITLE

plural Intel(R) NUC Illegal permission retention vulnerability in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2020-013302

DESCRIPTION

Insecure inherited permissions in firmware update tool for some Intel(R) NUCs may allow an authenticated user to potentially enable escalation of privilege via local access. plural Intel(R) NUC There is a vulnerability in the firmware regarding improper retention of permissions.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Document Title: =============== Intel NUC - Local Privilege Escalation Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2267 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-24525 CVE-ID: ======= CVE-2020-24525 Release Date: ============= 2020-11-13 Vulnerability Laboratory ID (VL-ID): ==================================== 2267 Common Vulnerability Scoring System: ==================================== 6.7 Vulnerability Class: ==================== Privilege Escalation Current Estimated Price: ======================== 10.000€ - 25.000€ Product & Service Introduction: =============================== The Intel® NUC kit consists of a customizable mainboard and housing. You can choose from a large selection of memory and data storage as well as the operating system. (Copy of the Homepage: https://www.intel.de/content/www/de/de/products/boards-kits/nuc/kits.html ) Abstract Advisory Information: ============================== A vulnerability laboratory core team researcher discovered a local privilege escalation in the official Intel® NUC. Affected Product(s): ==================== Intel® NUC Intel® NUC Board DE3815TYBE with a SA number H27002-500 and later. The SA number is located on the back of the chassis. TYBYT20H.86A Intel® NUC Kit DE3815TYKHE with an AA number H26998-500 and later. The AA number is found on the board’s memory module socket. TYBYT20H.86A Intel® NUC Board DE3815TYBE with the following SA numbers: H27002-400, -401, -402, -404, and -404. The SA number is located on the back of the chassis. TYBYT10H.86A Intel® NUC Kit DE3815TYKHE with the following AA numbers: H26998-401, -402, -403, -404, and -405. The AA number is found on the board’s memory module socket. TYBYT10H.86A Intel® NUC 8 Rugged Kit NUC8CCHKR CHAPLCEL.0049 Intel® NUC Board NUC8CCHB CHAPLCEL.0049 Intel® NUC 8 Pro Mini PC NUC8i3PNK PNWHL357.0037 Intel® NUC 8 Pro Kit NUC8i3PNK PNWHL357.0037 Intel® NUC 8 Pro Kit NUC8i3PNH PNWHL357.0037 Intel® NUC 8 Pro Board NUC8i3PNB PNWHL357.0037 Intel® NUC 9 Pro Kit - NUC9V7QNX QNCFLX70.34 Intel® NUC 9 Pro Kit - NUC9VXQNX QNCFLX70.34 Intel® NUC 8 Mainstream-G kit (NUC8i5INH) INWHL357.0036 Intel® NUC 8 Mainstream-G kit (NUC8i7INH) INWHL357.0036 Intel® NUC 8 Mainstream-G mini PC (NUC8i5INH) INWHL357.0036 Intel® NUC 8 Mainstream-G mini PC (NUC8i7INH) INWHL357.0036 Vulnerability Disclosure Timeline: ================================== 2020-11-13: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Local Severity Level: =============== Medium Authentication Type: ==================== Restricted Authentication (User Privileges) User Interaction: ================= No User Interaction Disclosure Type: ================ Bug Bounty Technical Details & Description: ================================ Insecure inherited permissions in firmware update tool for some Intel(R) NUCs may allow an authenticated user with system privileges to potentially enable an escalation of the local process privilege via local system access. Solution - Fix & Patch: ======================= Intel recommends that users update to the latest NUC firmware version (see provided table). Intel recommends users update HDMI Firmware Update Tool for NUC7i3DN, NUC7i5DN and NUC7i7DN to an updated version 1.76 via the following URL: https://downloadcenter.intel.com/download/27315?v=t Security Risk: ============== The security risk of the local privilege escalation vulnerability in the intel nuc is estimated as medium. Credits & Authors: ================== S.AbenMassaoud [Core Research Team] - https://www.vulnerability-lab.com/show.php?user=S.AbenMassaoud Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2020 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com

Trust: 1.71

sources: NVD: CVE-2020-24525 // JVNDB: JVNDB-2020-013302 // PACKETSTORM: 160090

AFFECTED PRODUCTS

vendor:	intel	model:	nuc board h27002-401	scope:	eq	version:	tybyt10h.86a	Trust: 1.0
vendor:	intel	model:	nuc board h27002-400	scope:	eq	version:	tybyt10h.86a	Trust: 1.0
vendor:	intel	model:	nuc 8 rugged kit nuc8cchkr	scope:	eq	version:	chaplcel.0049	Trust: 1.0
vendor:	intel	model:	nuc 8 pro kit nuc8i3pnk	scope:	eq	version:	pnwhl357.0037	Trust: 1.0
vendor:	intel	model:	nuc kit h26998-403	scope:	eq	version:	tybyt10h.86a	Trust: 1.0
vendor:	intel	model:	nuc kit h26998-405	scope:	eq	version:	tybyt10h.86a	Trust: 1.0
vendor:	intel	model:	nuc kit h26998-500	scope:	eq	version:	tybyt20h.86a	Trust: 1.0
vendor:	intel	model:	nuc 8 mainstream-g mini pc nuc8i7inh	scope:	eq	version:	inwhl357.0036	Trust: 1.0
vendor:	intel	model:	nuc 8 mainstream-g kit nuc8i7inh	scope:	eq	version:	inwhl357.0036	Trust: 1.0
vendor:	intel	model:	nuc 9 pro kit nuc9v7qnx	scope:	eq	version:	qncflx70.34	Trust: 1.0
vendor:	intel	model:	nuc board h27002-402	scope:	eq	version:	tybyt10h.86a	Trust: 1.0
vendor:	intel	model:	nuc 8 mainstream-g kit nuc8i5inh	scope:	eq	version:	inwhl357.0036	Trust: 1.0
vendor:	intel	model:	nuc 8 pro mini pc nuc8i3pnk	scope:	eq	version:	pnwhl357.0037	Trust: 1.0
vendor:	intel	model:	nuc board nuc8cchb	scope:	eq	version:	chaplcel.0049	Trust: 1.0
vendor:	intel	model:	nuc 8 pro kit nuc8i3pnh	scope:	eq	version:	pnwhl357.0037	Trust: 1.0
vendor:	intel	model:	nuc board h27002-500	scope:	eq	version:	tybyt20h.86a	Trust: 1.0
vendor:	intel	model:	nuc board h27002-404	scope:	eq	version:	tybyt10h.86a	Trust: 1.0
vendor:	intel	model:	nuc kit h26998-401	scope:	eq	version:	tybyt10h.86a	Trust: 1.0
vendor:	intel	model:	nuc kit h26998-404	scope:	eq	version:	tybyt10h.86a	Trust: 1.0
vendor:	intel	model:	nuc kit h26998-402	scope:	eq	version:	tybyt10h.86a	Trust: 1.0
vendor:	intel	model:	nuc 9 pro kit nuc9vxqnx	scope:	eq	version:	qncflx70.34	Trust: 1.0
vendor:	intel	model:	nuc 8 pro board nuc8i3pnb	scope:	eq	version:	pnwhl357.0037	Trust: 1.0
vendor:	intel	model:	nuc 8 mainstream-g mini pc nuc8i5inh	scope:	eq	version:	inwhl357.0036	Trust: 1.0
vendor:	インテル	model:	intel nuc 8 pro board nuc8i3pnp	scope:	-	version:	-	Trust: 0.8
vendor:	インテル	model:	intel nuc 8 rugged kit nuc8cchkr	scope:	-	version:	-	Trust: 0.8
vendor:	インテル	model:	intel nuc 8 mainstream-g kit nuc8i5inh	scope:	-	version:	-	Trust: 0.8
vendor:	インテル	model:	intel nuc 8 mainstream-g mini pc nuc8i5inh	scope:	-	version:	-	Trust: 0.8
vendor:	インテル	model:	intel nuc 8 pro kit nuc8i3pnh	scope:	-	version:	-	Trust: 0.8
vendor:	インテル	model:	intel nuc board h27002-404	scope:	-	version:	-	Trust: 0.8
vendor:	インテル	model:	intel nuc board nuc8cchb	scope:	-	version:	-	Trust: 0.8
vendor:	インテル	model:	intel nuc 8 mainstream-g kit pc nuc8i7inh	scope:	-	version:	-	Trust: 0.8
vendor:	インテル	model:	intel nuc 8 pro kit nuc8i3pnk	scope:	-	version:	-	Trust: 0.8
vendor:	インテル	model:	intel nuc board h27002-500	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2020-013302 // NVD: CVE-2020-24525

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-24525
value:	HIGH
Trust: 1.0
NVD:	CVE-2020-24525
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202011-932
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2020-24525
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8

nvd@nist.gov:	CVE-2020-24525
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2020-24525
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2020-013302 // CNNVD: CNNVD-202011-932 // NVD: CVE-2020-24525

PROBLEMTYPE DATA

problemtype:	CWE-732	Trust: 1.0
problemtype:	Improper retention of permissions (CWE-281) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2020-013302 // NVD: CVE-2020-24525

THREAT TYPE

local

Trust: 0.7

sources: PACKETSTORM: 160090 // CNNVD: CNNVD-202011-932

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202011-932

PATCH

title:	INTEL-SA-00414	url:	https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00414.html	Trust: 0.8
title:	Intel NUCs Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=135009	Trust: 0.6

sources: JVNDB: JVNDB-2020-013302 // CNNVD: CNNVD-202011-932

EXTERNAL IDS

db:	NVD	id:	CVE-2020-24525	Trust: 2.5
db:	JVNDB	id:	JVNDB-2020-013302	Trust: 0.8
db:	AUSCERT	id:	ESB-2020.3987	Trust: 0.6
db:	CNNVD	id:	CNNVD-202011-932	Trust: 0.6
db:	PACKETSTORM	id:	160090	Trust: 0.1

sources: JVNDB: JVNDB-2020-013302 // PACKETSTORM: 160090 // CNNVD: CNNVD-202011-932 // NVD: CVE-2020-24525

REFERENCES

url:	https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00414	Trust: 1.6
url:	http://seclists.org/fulldisclosure/2020/nov/26	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2020-24525	Trust: 1.4
url:	https://www.auscert.org.au/bulletins/esb-2020.3987/	Trust: 0.6
url:	https://www.vulnerability-lab.com/get_content.php?id=2267	Trust: 0.1
url:	https://www.intel.de/content/www/de/de/products/boards-kits/nuc/kits.html	Trust: 0.1
url:	https://www.vulnerability-lab.com/show.php?user=s.abenmassaoud	Trust: 0.1
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2020-24525	Trust: 0.1
url:	https://www.vulnerability-db.com	Trust: 0.1
url:	https://downloadcenter.intel.com/download/27315?v=t	Trust: 0.1
url:	https://www.vuln-lab.com	Trust: 0.1

sources: JVNDB: JVNDB-2020-013302 // PACKETSTORM: 160090 // CNNVD: CNNVD-202011-932 // NVD: CVE-2020-24525

CREDITS

S.AbenMassaoud

Trust: 0.1

sources: PACKETSTORM: 160090

SOURCES

db:	JVNDB	id:	JVNDB-2020-013302
db:	PACKETSTORM	id:	160090
db:	CNNVD	id:	CNNVD-202011-932
db:	NVD	id:	CVE-2020-24525

LAST UPDATE DATE

2024-11-23T21:35:08.946000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2020-013302	date:	2021-06-23T08:06:00
db:	CNNVD	id:	CNNVD-202011-932	date:	2020-11-24T00:00:00
db:	NVD	id:	CVE-2020-24525	date:	2024-11-21T05:14:57.590

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2020-013302	date:	2021-06-23T00:00:00
db:	PACKETSTORM	id:	160090	date:	2020-11-16T17:12:30
db:	CNNVD	id:	CNNVD-202011-932	date:	2020-11-11T00:00:00
db:	NVD	id:	CVE-2020-24525	date:	2020-11-12T19:15:14.833