Details of VAR-202011-1363

ID

VAR-202011-1363

CVE

CVE-2020-8737

TITLE

Intel(R) Stratix 10 FPGA Runs on firmware Quartus Prime Pro Buffer error vulnerabilities in software

Trust: 0.8

sources: JVNDB: JVNDB-2020-013419

DESCRIPTION

Improper buffer restrictions in the Intel(R) Stratix(R) 10 FPGA firmware provided with the Intel(R) Quartus(R) Prime Pro software before version 20.1 may allow an unauthenticated user to potentially enable escalation of privilege and/or information disclosure via physical access. Intel PAC with Arria 10 GX FPGA is a programmable accelerator card from Intel Corporation using Intel Arria 10 GX FPGA (Field Programmable Gate Array)

Trust: 1.71

sources: NVD: CVE-2020-8737 // JVNDB: JVNDB-2020-013419 // VULHUB: VHN-186862

AFFECTED PRODUCTS

vendor:	intel	model:	quartus prime	scope:	lt	version:	20.1	Trust: 1.0
vendor:	intel	model:	stratix 10 fpga	scope:	eq	version:	-	Trust: 1.0
vendor:	インテル	model:	stratix 10 fpga	scope:	-	version:	-	Trust: 0.8
vendor:	インテル	model:	quartus prime	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2020-013419 // NVD: CVE-2020-8737

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-8737
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2020-8737
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202011-853
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-186862
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-8737
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-186862
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-8737
baseSeverity:	MEDIUM
baseScore:	6.8
vectorString:	CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	PHYSICAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	0.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2020-8737
baseSeverity:	MEDIUM
baseScore:	6.8
vectorString:	CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	PHYSICAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-186862 // JVNDB: JVNDB-2020-013419 // CNNVD: CNNVD-202011-853 // NVD: CVE-2020-8737

PROBLEMTYPE DATA

problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	Buffer error (CWE-119) [NVD Evaluation ]	Trust: 0.8
problemtype:	CWE-119	Trust: 0.1

sources: VULHUB: VHN-186862 // JVNDB: JVNDB-2020-013419 // NVD: CVE-2020-8737

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-202011-853

PATCH

title:	INTEL-SA-00388	url:	https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00388.html	Trust: 0.8
title:	Intel Stratix FPGA firmware provided and Intel Quartus Prime Pro software Buffer error vulnerability fix	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=135722	Trust: 0.6

sources: JVNDB: JVNDB-2020-013419 // CNNVD: CNNVD-202011-853

EXTERNAL IDS

db:	NVD	id:	CVE-2020-8737	Trust: 2.5
db:	JVNDB	id:	JVNDB-2020-013419	Trust: 0.8
db:	CNNVD	id:	CNNVD-202011-853	Trust: 0.7
db:	AUSCERT	id:	ESB-2020.3954	Trust: 0.6
db:	VULHUB	id:	VHN-186862	Trust: 0.1

sources: VULHUB: VHN-186862 // JVNDB: JVNDB-2020-013419 // CNNVD: CNNVD-202011-853 // NVD: CVE-2020-8737

REFERENCES

url:	https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00388	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2020-8737	Trust: 1.4
url:	https://www.auscert.org.au/bulletins/esb-2020.3954/	Trust: 0.6

sources: VULHUB: VHN-186862 // JVNDB: JVNDB-2020-013419 // CNNVD: CNNVD-202011-853 // NVD: CVE-2020-8737

SOURCES

db:	VULHUB	id:	VHN-186862
db:	JVNDB	id:	JVNDB-2020-013419
db:	CNNVD	id:	CNNVD-202011-853
db:	NVD	id:	CVE-2020-8737

LAST UPDATE DATE

2024-11-23T19:56:20.475000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-186862	date:	2021-07-21T00:00:00
db:	JVNDB	id:	JVNDB-2020-013419	date:	2021-07-02T04:37:00
db:	CNNVD	id:	CNNVD-202011-853	date:	2020-12-03T00:00:00
db:	NVD	id:	CVE-2020-8737	date:	2024-11-21T05:39:21.253

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-186862	date:	2020-11-12T00:00:00
db:	JVNDB	id:	JVNDB-2020-013419	date:	2021-07-02T00:00:00
db:	CNNVD	id:	CNNVD-202011-853	date:	2020-11-11T00:00:00
db:	NVD	id:	CVE-2020-8737	date:	2020-11-12T18:15:16.923