Details of VAR-201905-1172

ID

VAR-201905-1172

CVE

CVE-2019-0090

TITLE

Intel Multiple vulnerabilities in the product

Trust: 0.8

sources: JVNDB: JVNDB-2019-003441

DESCRIPTION

Insufficient access control vulnerability in subsystem for Intel(R) CSME before versions 11.x, 12.0.35 Intel(R) TXE 3.x, 4.x, Intel(R) Server Platform Services 3.x, 4.x, Intel(R) SPS before version SPS_E3_05.00.04.027.0 may allow an unauthenticated user to potentially enable escalation of privilege via physical access. Intel(R) CSME and SPS Contains an access control vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Intel Converged Security and Management Engine (CSME) and others are products of Intel Corporation of the United States. Intel Converged Security and Management Engine is a security management engine. Intel Server Platform Services (SPS) is a server platform service program. Intel TXE is a trusted execution engine with hardware authentication function used in CPU (Central Processing Unit). An access control error vulnerability exists in subsystems in several Intel products. This vulnerability stems from network systems or products not properly restricting access to resources from unauthorized roles. The following products and versions are affected: Intel CSME before 11.x, before 12.0.35; TXE before 3.x, before 4.x; SPS before 3.x, before 4.x, SPS_E3_05.00.04 Versions prior to .027.0

Trust: 1.8

sources: NVD: CVE-2019-0090 // JVNDB: JVNDB-2019-004743 // VULHUB: VHN-140121 // VULMON: CVE-2019-0090

AFFECTED PRODUCTS

vendor:	intel	model:	server platform services	scope:	lt	version:	sps_e3_05.00.04.027.0	Trust: 1.8
vendor:	intel	model:	converged security and management engine	scope:	lt	version:	12.0.35	Trust: 1.0
vendor:	intel	model:	acu wizard	scope:	-	version:	-	Trust: 0.8
vendor:	intel	model:	active management technology	scope:	-	version:	-	Trust: 0.8
vendor:	intel	model:	converged security management engine	scope:	-	version:	-	Trust: 0.8
vendor:	intel	model:	driver and support assistant	scope:	-	version:	-	Trust: 0.8
vendor:	intel	model:	dynamic application loader	scope:	-	version:	-	Trust: 0.8
vendor:	intel	model:	i915	scope:	-	version:	-	Trust: 0.8
vendor:	intel	model:	nuc board nuc7i7dnbe	scope:	-	version:	-	Trust: 0.8
vendor:	intel	model:	nuc kit nuc7i5dnhe	scope:	-	version:	-	Trust: 0.8
vendor:	intel	model:	nuc kit nuc7i7dnhe	scope:	-	version:	-	Trust: 0.8
vendor:	intel	model:	nuc kit nuc7i7dnke	scope:	-	version:	-	Trust: 0.8
vendor:	intel	model:	nuc kit nuc8i7hnk	scope:	-	version:	-	Trust: 0.8
vendor:	intel	model:	nuc kit nuc8i7hvk	scope:	-	version:	-	Trust: 0.8
vendor:	intel	model:	proset/wireless software driver	scope:	-	version:	-	Trust: 0.8
vendor:	intel	model:	quartus ii programmer and tools	scope:	-	version:	-	Trust: 0.8
vendor:	intel	model:	server platform services	scope:	-	version:	-	Trust: 0.8
vendor:	intel	model:	trusted execution engine	scope:	-	version:	-	Trust: 0.8
vendor:	intel	model:	intel	scope:	-	version:	-	Trust: 0.8
vendor:	intel	model:	quartus prime	scope:	-	version:	-	Trust: 0.8
vendor:	intel	model:	scs discovery utility	scope:	-	version:	-	Trust: 0.8
vendor:	intel	model:	unite client	scope:	-	version:	-	Trust: 0.8
vendor:	intel	model:	graphics driver	scope:	-	version:	-	Trust: 0.8
vendor:	intel	model:	converged security management engine	scope:	lt	version:	12.0.35	Trust: 0.8

sources: JVNDB: JVNDB-2019-003441 // JVNDB: JVNDB-2019-004743 // NVD: CVE-2019-0090

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-0090
value:	HIGH
Trust: 1.0
NVD:	CVE-2019-0090
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201905-741
value:	HIGH
Trust: 0.6
VULHUB:	VHN-140121
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2019-0090
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-0090
severity:	MEDIUM
baseScore:	4.4
vectorString:	AV:L/AC:M/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.4
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
NVD:	CVE-2019-0090
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
VULHUB:	VHN-140121
severity:	MEDIUM
baseScore:	4.4
vectorString:	AV:L/AC:M/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.4
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-0090
baseSeverity:	HIGH
baseScore:	7.1
vectorString:	CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
attackVector:	PHYSICAL
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	0.5
impactScore:	6.0
version:	3.1
Trust: 1.0
NVD:	CVE-2019-0090
baseSeverity:	MEDIUM
baseScore:	6.8
vectorString:	CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	PHYSICAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-140121 // VULMON: CVE-2019-0090 // JVNDB: JVNDB-2019-004743 // CNNVD: CNNVD-201905-741 // NVD: CVE-2019-0090

PROBLEMTYPE DATA

problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	CWE-284	Trust: 0.9

sources: VULHUB: VHN-140121 // JVNDB: JVNDB-2019-004743 // NVD: CVE-2019-0090

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-201905-741

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-003441

PATCH

title:	INTEL-SA-00213 - IntelR CSME, IntelR SPS, IntelR TXE, IntelR DAL, and IntelR AMT 2019.1 QSR Advisory	url:	https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00213.html	Trust: 1.6
title:	INTEL-SA-00234 - IntelR SCS Discovery Utility and IntelR ACU Wizard Advisory	url:	https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00234.html	Trust: 0.8
title:	INTEL-SA-00244 - IntelR QuartusR Software Advisory	url:	https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00244.html	Trust: 0.8
title:	INTEL-SA-00245 - Intel UniteR Client for Android* Advisory	url:	https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00245.html	Trust: 0.8
title:	INTEL-SA-00204 - Intel IntelR PROSet/Wireless WiFi Software Advisory	url:	https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00204.html	Trust: 0.8
title:	INTEL-SA-00249 - IntelR i915 Graphics for Linux Advisory	url:	https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00249.html	Trust: 0.8
title:	INTEL-SA-00251 - IntelR NUC Advisory	url:	https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00251.html	Trust: 0.8
title:	INTEL-SA-00218 - IntelR Graphics Driver for Windows* 2019.1 QSR Advisory	url:	https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00218.html	Trust: 0.8
title:	INTEL-SA-00252 - IntelR Driver & Support Assistant Advisory	url:	https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00252.html	Trust: 0.8
title:	INTEL-SA-00223 - Intel 2019.1 QSR UEFI Advisory	url:	https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00223.html	Trust: 0.8
title:	INTEL-SA-00228 - Intel UniteR Client Advisory	url:	https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00228.html	Trust: 0.8
title:	INTEL-SA-00233 - Microarchitectural Data Sampling Advisory	url:	https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00233.html	Trust: 0.8
title:	The Register	url:	https://www.theregister.co.uk/2020/03/05/unfixable_intel_csme_flaw/	Trust: 0.2
title:	HP: HPSBHF03616 rev. 1 - Intel CSME, Trusted Execution Engine (TXE), Active Management Technology (AMT) Security Updates	url:	https://vulmon.com/vendoradvisory?qidtp=hp_bulletin&qid=HPSBHF03616	Trust: 0.1
title:	HP: SUPPORT COMMUNICATION- SECURITY BULLETIN HPSBHF03616 rev. 4 - Intel 2019.1 CSME, Trusted Execution Engine (TXE), Active Management Technology (AMT) Security Updates	url:	https://vulmon.com/vendoradvisory?qidtp=hp_bulletin&qid=fd8d8d147c2dc58a9552ea19a80369fe	Trust: 0.1
title:	HP: SUPPORT COMMUNICATION- SECURITY BULLETIN HPSBHF03616 rev. 4 - Intel 2019.1 CSME, Trusted Execution Engine (TXE), Active Management Technology (AMT) Security Updates	url:	https://vulmon.com/vendoradvisory?qidtp=hp_bulletin&qid=36bdf366c0b633d1ee0c20eab22574bc	Trust: 0.1
title:	WikipediaScraper	url:	https://github.com/engstrar/WikipediaScraper	Trust: 0.1
title:	Threatpost	url:	https://threatpost.com/intel-fixes-critical-high-severity-flaws-across-several-products/144940/	Trust: 0.1

sources: VULMON: CVE-2019-0090 // JVNDB: JVNDB-2019-003441 // JVNDB: JVNDB-2019-004743

EXTERNAL IDS

db:	NVD	id:	CVE-2019-0090	Trust: 2.6
db:	JVN	id:	JVNVU92328381	Trust: 1.6
db:	JVNDB	id:	JVNDB-2019-003441	Trust: 1.6
db:	JVNDB	id:	JVNDB-2019-004743	Trust: 0.8
db:	CNNVD	id:	CNNVD-201905-741	Trust: 0.7
db:	AUSCERT	id:	ASB-2019.0148.2	Trust: 0.6
db:	LENOVO	id:	LEN-26293	Trust: 0.6
db:	CNVD	id:	CNVD-2020-18579	Trust: 0.1
db:	VULHUB	id:	VHN-140121	Trust: 0.1
db:	VULMON	id:	CVE-2019-0090	Trust: 0.1

sources: VULHUB: VHN-140121 // VULMON: CVE-2019-0090 // JVNDB: JVNDB-2019-003441 // JVNDB: JVNDB-2019-004743 // CNNVD: CNNVD-201905-741 // NVD: CVE-2019-0090

REFERENCES

url:	https://support.f5.com/csp/article/k59145983	Trust: 1.8
url:	https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00213.html	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2019-0090	Trust: 1.4
url:	https://jvn.jp/vu/jvnvu92328381/index.html	Trust: 0.8
url:	https://mdsattacks.com/files/ridl.pdf	Trust: 0.8
url:	https://mdsattacks.com/files/fallout.pdf	Trust: 0.8
url:	https://zombieloadattack.com/	Trust: 0.8
url:	https://www.intel.com/content/www/us/en/architecture-and-technology/mds.html	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-0090	Trust: 0.8
url:	https://jvn.jp/vu/jvnvu92328381/	Trust: 0.8
url:	https://jvndb.jvn.jp/ja/contents/2019/jvndb-2019-003441.html	Trust: 0.8
url:	https://support.lenovo.com/us/zh/solutions/len-26293	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/asb-2019.0148.2/	Trust: 0.6
url:	https://support.lenovo.com/us/en/product_security/len-26293	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/.html	Trust: 0.1
url:	https://github.com/engstrar/wikipediascraper	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://threatpost.com/intel-fixes-critical-high-severity-flaws-across-several-products/144940/	Trust: 0.1
url:	https://support.hp.com/us-en/document/c06330088	Trust: 0.1

sources: VULHUB: VHN-140121 // VULMON: CVE-2019-0090 // JVNDB: JVNDB-2019-003441 // JVNDB: JVNDB-2019-004743 // CNNVD: CNNVD-201905-741 // NVD: CVE-2019-0090

SOURCES

db:	VULHUB	id:	VHN-140121
db:	VULMON	id:	CVE-2019-0090
db:	JVNDB	id:	JVNDB-2019-003441
db:	JVNDB	id:	JVNDB-2019-004743
db:	CNNVD	id:	CNNVD-201905-741
db:	NVD	id:	CVE-2019-0090

LAST UPDATE DATE

2024-11-23T20:41:24.951000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-140121	date:	2020-08-24T00:00:00
db:	VULMON	id:	CVE-2019-0090	date:	2020-08-24T00:00:00
db:	JVNDB	id:	JVNDB-2019-003441	date:	2019-05-16T00:00:00
db:	JVNDB	id:	JVNDB-2019-004743	date:	2019-06-06T00:00:00
db:	CNNVD	id:	CNNVD-201905-741	date:	2020-08-25T00:00:00
db:	NVD	id:	CVE-2019-0090	date:	2024-11-21T04:16:12.770

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-140121	date:	2019-05-17T00:00:00
db:	VULMON	id:	CVE-2019-0090	date:	2019-05-17T00:00:00
db:	JVNDB	id:	JVNDB-2019-003441	date:	2019-05-16T00:00:00
db:	JVNDB	id:	JVNDB-2019-004743	date:	2019-06-06T00:00:00
db:	CNNVD	id:	CNNVD-201905-741	date:	2019-05-17T00:00:00
db:	NVD	id:	CVE-2019-0090	date:	2019-05-17T16:29:00.937