VARIoT IoT vulnerabilities database
| VAR-201911-1637 | CVE-2019-0146 | Intel(R) Ethernet 700 Series Controller Vulnerable to resource exhaustion |
CVSS V2: 2.1 CVSS V3: 5.5 Severity: MEDIUM |
Resource leak in i40e driver for Intel(R) Ethernet 700 Series Controllers versions before 2.8.43 may allow an authenticated user to potentially enable a denial of service via local access. Intel(R) Ethernet 700 Series Controller Contains a resource exhaustion vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. IIntel Ethernet 700 Series Controllers are network adapter products from Intel Corporation. An attacker could exploit the vulnerability to cause a denial of service. This vulnerability stems from improper management of system resources (such as memory, disk space, files, etc.) by network systems or products
| VAR-201911-1640 | CVE-2019-0149 | Intel(R) Ethernet 700 Series Controller Input validation vulnerability |
CVSS V2: 2.1 CVSS V3: 5.5 Severity: MEDIUM |
Insufficient input validation in i40e driver for Intel(R) Ethernet 700 Series Controllers versions before 2.8.43 may allow an authenticated user to potentially enable a denial of service via local access. Intel(R) Ethernet 700 Series Controller Contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Intel Ethernet 700 Series Controllers are network adapter products from Intel Corporation. The vulnerability stems from insufficient input validation for the i40e driver. An attacker could exploit the vulnerability to cause a denial of service
| VAR-201911-1636 | CVE-2019-0145 | Intel(R) Ethernet 700 Series Controller Vulnerable to classic buffer overflow |
CVSS V2: 7.2 CVSS V3: 7.8 Severity: HIGH |
Buffer overflow in i40e driver for Intel(R) Ethernet 700 Series Controllers versions before 7.0 may allow an authenticated user to potentially enable an escalation of privilege via local access. Intel Ethernet 700 Series Controllers is a network adapter product from Intel Corporation. An attacker could use this vulnerability to achieve privilege elevation
| VAR-201911-0277 | CVE-2019-6188 | plural Lenovo Incorrect authentication vulnerabilities in products |
CVSS V2: 7.5 CVSS V3: 9.8 Severity: CRITICAL |
The BIOS tamper detection mechanism was not triggered in Lenovo ThinkPad T460p, BIOS versions up to R07ET90W, and T470p, BIOS versions up to R0FET50W, which may allow for unauthorized access. plural Lenovo The product contains an unauthorized authentication vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Lenovo ThinkPad T460p and Lenovo ThinkPad T470p are both notebook computers of China Lenovo (Lenovo).
There is a security vulnerability in Lenovo ThinkPad T460p and T470p. The vulnerability stems from the program's failure to trigger a BIOS tamper check mechanism. Attackers can use this vulnerability to gain unauthorized access
| VAR-201911-1095 | CVE-2019-1392 | plural Microsoft Windows Vulnerability with elevated privileges in products |
CVSS V2: 7.2 CVSS V3: 7.8 Severity: HIGH |
An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'. SCALANCE S firewall is used to protect trusted industrial networks from untrusted networks.
There is a denial of service vulnerability in the SIEMENS SCALAN CES-600 family. An attacker could use the vulnerability to send packets to the affected device's 443 / tcp port, resulting in a denial of service situation
| VAR-201911-1638 | CVE-2019-0147 | Intel(R) Ethernet 700 Series Controller Input validation vulnerability |
CVSS V2: 2.1 CVSS V3: 5.5 Severity: MEDIUM |
Insufficient input validation in i40e driver for Intel(R) Ethernet 700 Series Controllers versions before 7.0 may allow an authenticated user to potentially enable a denial of service via local access. Intel(R) Ethernet 700 Series Controller Contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Intel Ethernet 700 Series Controllers is a network adapter product from Intel Corporation.
A denial of service vulnerability exists in Intel Ethernet 700 Series Controllers prior to 7.0. The vulnerability stems from insufficient input validation of the controller's i40e driver. An attacker could exploit this vulnerability to cause a denial of service
| VAR-201911-1633 | CVE-2019-0142 | Intel(R) Ethernet 700 Series Controller Vulnerability in Permission Management |
CVSS V2: 7.2 CVSS V3: 8.2 Severity: HIGH |
Insufficient access control in ilp60x64.sys driver for Intel(R) Ethernet 700 Series Controllers before version 1.33.0.0 may allow a privileged user to potentially enable escalation of privilege via local access. Intel(R) Ethernet 700 Series Controller Contains a privilege management vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Intel Ethernet 700 Series Controllers are network adapter products from Intel Corporation. An attacker could exploit this vulnerability to achieve privilege escalation
| VAR-201912-1176 | CVE-2019-13945 | Siemens SIMATIC S7-1200 CPU Access vulnerability |
CVSS V2: 4.6 CVSS V3: 6.8 Severity: MEDIUM |
A vulnerability has been identified in SIMATIC S7-1200 CPU family (incl. SIPLUS variants) (All versions), SIMATIC S7-1200 CPU family < V4.x (incl. SIPLUS variants) (All versions), SIMATIC S7-1200 CPU family V4.x (incl. SIPLUS variants) (All versions with Function State (FS) < 11), SIMATIC S7-200 SMART CPU CR20s (6ES7 288-1CR20-0AA1) (All versions <= V2.3.0 and Function State (FS) <= 3), SIMATIC S7-200 SMART CPU CR30s (6ES7 288-1CR30-0AA1) (All versions <= V2.3.0 and Function State (FS) <= 3), SIMATIC S7-200 SMART CPU CR40 (6ES7 288-1CR40-0AA0) (All versions <= V2.2.2 and Function State (FS) <= 8), SIMATIC S7-200 SMART CPU CR40s (6ES7 288-1CR40-0AA1) (All versions <= V2.3.0 and Function State (FS) <= 3), SIMATIC S7-200 SMART CPU CR60 (6ES7 288-1CR60-0AA0) (All versions <= V2.2.2 and Function State (FS) <= 10), SIMATIC S7-200 SMART CPU CR60s (6ES7 288-1CR60-0AA1) (All versions <= V2.3.0 and Function State (FS) <= 3), SIMATIC S7-200 SMART CPU SR20 (6ES7 288-1SR20-0AA0) (All versions <= V2.5.0 and Function State (FS) <= 11), SIMATIC S7-200 SMART CPU SR30 (6ES7 288-1SR30-0AA0) (All versions <= V2.5.0 and Function State (FS) <= 10), SIMATIC S7-200 SMART CPU SR40 (6ES7 288-1SR40-0AA0) (All versions <= V2.5.0 and Function State (FS) <= 10), SIMATIC S7-200 SMART CPU SR60 (6ES7 288-1SR60-0AA0) (All versions <= V2.5.0 and Function State (FS) <= 12), SIMATIC S7-200 SMART CPU ST20 (6ES7 288-1ST20-0AA0) (All versions <= V2.5.0 and Function State (FS) <= 9), SIMATIC S7-200 SMART CPU ST30 (6ES7 288-1ST30-0AA0) (All versions <= V2.5.0 and Function State (FS) <= 9), SIMATIC S7-200 SMART CPU ST40 (6ES7 288-1ST40-0AA0) (All versions <= V2.5.0 and Function State (FS) <= 8), SIMATIC S7-200 SMART CPU ST60 (6ES7 288-1ST60-0AA0) (All versions <= V2.5.0 and Function State (FS) <= 8), SIMATIC S7-200 SMART CPU family (All versions). There is an access mode used during manufacturing of the affected devices that allows additional diagnostic functionality. The security vulnerability could be exploited by an attacker with physical access to the UART interface during boot process. SIMATIC S7-1200 CPU family and S7-200 SMART CPU family Contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The Siemens SIMATIC S7-1200 CPU family products are designed for discrete and continuous control in industrial environments such as manufacturing, food and beverage, and chemical industries.
A security hole exists in the Siemens SIMATIC S7-1200 CPU. At the time of advisory publication no public exploitation of this security vulnerability was known
| VAR-201911-1641 | CVE-2019-0150 | Intel(R) Ethernet 700 Series Controller Vulnerable to unauthorized authentication |
CVSS V2: 2.1 CVSS V3: 5.1 Severity: MEDIUM |
Insufficient access control in firmware Intel(R) Ethernet 700 Series Controllers versions before 7.0 may allow a privileged user to potentially enable a denial of service via local access. Intel(R) Ethernet 700 Series Controller Contains an unauthorized authentication vulnerability.Tampering with information and disrupting service operations (DoS) There is a possibility of being put into a state. Intel Ethernet 700 Series Controllers is a network adapter product from Intel Corporation. An attacker could exploit this vulnerability to cause a denial of service
| VAR-201911-1634 | CVE-2019-0143 | Intel(R) Ethernet 700 Series Controller Vulnerabilities related to exceptional state handling |
CVSS V2: 4.9 CVSS V3: 5.5 Severity: MEDIUM |
Unhandled exception in Kernel-mode drivers for Intel(R) Ethernet 700 Series Controllers versions before 7.0 may allow an authenticated user to potentially enable a denial of service via local access. Intel(R) Ethernet 700 Series Controller Contains a vulnerability in handling exceptional conditions.Service operation interruption (DoS) There is a possibility of being put into a state. Intel Ethernet 700 Series Controllers is a network adapter product from Intel Corporation. An attacker could exploit this vulnerability to cause a denial of service
| VAR-201912-1819 | CVE-2019-11104 | Intel(R) CSME and Intel(R) TXE Input validation vulnerability |
CVSS V2: 4.6 CVSS V3: 7.8 Severity: HIGH |
Insufficient input validation in MEInfo software for Intel(R) CSME before versions 11.8.70, 11.11.70, 11.22.70, 12.0.45, 13.0.10 and 14.0.10; Intel(R) TXE before versions 3.1.70 and 4.0.20 may allow an authenticated user to potentially enable escalation of privilege via local access. Intel(R) CSME and Intel(R) TXE Contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Both Intel Converged Security and Management Engine (CSME) and Intel TXE are products of Intel Corporation of the United States. Intel Converged Security and Management Engine is a security management engine. Intel TXE is a trusted execution engine with hardware authentication function used in CPU (Central Processing Unit). A security vulnerability exists in the MEInfo software in Intel CSME and Intel TXE due to insufficient input validation. A local attacker could exploit this vulnerability to elevate privileges. The following products and versions are affected: Intel CSME before 11.8.70, before 11.11.70, before 11.22.70, before 12.0.45, before 13.0.10, before 14.0.10; Intel TXE 3.1.70 Previous versions, versions before 4.0.20
| VAR-201911-1631 | CVE-2019-0139 | Intel(R) Ethernet 700 Series Controller Vulnerability in Permission Management |
CVSS V2: 4.6 CVSS V3: 6.7 Severity: MEDIUM |
Insufficient access control in firmware for Intel(R) Ethernet 700 Series Controllers before version 7.0 may allow a privileged user to potentially enable an escalation of privilege, denial of service, or information disclosure via local access. Intel(R) Ethernet 700 Series Controller Contains a privilege management vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Intel Ethernet 700 Series Controllers is a network adapter product from Intel Corporation. An attacker could use this vulnerability to elevate privileges, cause a denial of service, or obtain information
| VAR-201912-1812 | CVE-2019-11090 | plural Intel Product race condition vulnerabilities |
CVSS V2: 4.3 CVSS V3: 5.9 Severity: MEDIUM |
Cryptographic timing conditions in the subsystem for Intel(R) PTT before versions 11.8.70, 11.11.70, 11.22.70, 12.0.45, 13.0.0 and 14.0.10; Intel(R) TXE 3.1.70 and 4.0.20; Intel(R) SPS before versions SPS_E5_04.01.04.305.0, SPS_SoC-X_04.00.04.108.0, SPS_SoC-A_04.00.04.191.0, SPS_E3_04.01.04.086.0, SPS_E3_04.08.04.047.0 may allow an unauthenticated user to potentially enable information disclosure via network access. Intel(R) PTT , TXE , SPS Contains a race condition vulnerability.Information may be obtained. Intel Server Platform Services (SPS) and others are products of Intel Corporation of the United States. Intel Server Platform Services is a server platform service program. Intel TXE is a trusted execution engine with hardware authentication function used in CPU (Central Processing Unit). Intel Platform Trust Technology (PTT) is an Intel platform trusted technology, mainly used for key management (key encryption and storage) and security authentication. Security vulnerabilities exist in subsystems in Intel PTT, Intel TXE, and Intel SPS. An attacker could exploit this vulnerability to disclose information. The following products and versions are affected: Intel PTT before 11.8.70, before 11.11.70, before 11.22.70, before 12.0.45, before 13.0.0, before 14.0.10; Intel TXE 3.1.70 Version, version 4.0.20; Intel SPS version before SPS_E5_04.01.04.305.0, version before SPS_SoC-X_04.00.04.108.0, version before SPS_SoC-A_04.00.04.191.0, version before SPS_E3_04.01.04.086.0, version before SPS_E3_04.08.04.0 previous version
| VAR-201912-1817 | CVE-2019-11102 | plural Intel Vulnerability related to input validation in products |
CVSS V2: 2.1 CVSS V3: 4.4 Severity: MEDIUM |
Insufficient input validation in Intel(R) DAL software for Intel(R) CSME before versions 11.8.70, 11.11.70, 11.22.70, 12.0.45, 13.0.10 and 14.0.10; Intel(R) TXE before versions 3.1.70 and 4.0.20 may allow a privileged user to potentially enable information disclosure via local access. Intel(R) DAL software, Intel(R) CSME , Intel(R) TXE Contains an input validation vulnerability.Information may be obtained. Both Intel Converged Security and Management Engine (CSME) and Intel TXE are products of Intel Corporation of the United States. Intel Converged Security and Management Engine is a security management engine. Intel TXE is a trusted execution engine with hardware authentication function used in CPU (Central Processing Unit). Intel DAL is one of the dynamic application loaders. A local attacker could exploit this vulnerability to disclose information. The following products and versions are affected: Intel CSME before 11.8.70, before 11.11.70, before 11.22.70, before 12.0.45, before 13.0.10, before 14.0.10; Intel TXE 3.1.70 Previous versions, versions before 4.0.20
| VAR-201912-1821 | CVE-2019-11106 | Intel(R) CSME and Intel(R) TXE Session expiration vulnerability |
CVSS V2: 4.6 CVSS V3: 6.7 Severity: MEDIUM |
Insufficient session validation in the subsystem for Intel(R) CSME before versions 11.8.70, 12.0.45, 13.0.10 and 14.0.10; Intel(R) TXE before versions 3.1.70 and 4.0.20 may allow a privileged user to potentially enable escalation of privilege via local access. Intel(R) CSME and Intel(R) TXE Contains a session expiration vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Both Intel Converged Security and Management Engine (CSME) and Intel TXE are products of Intel Corporation of the United States. Intel Converged Security and Management Engine is a security management engine. Intel TXE is a trusted execution engine with hardware authentication function used in CPU (Central Processing Unit). A security vulnerability exists in a subsystem in Intel CSME and Intel TXE due to the program's insufficient authentication of sessions. A local attacker could exploit this vulnerability to elevate privileges. The following products and versions are affected: Intel CSME before 11.8.70, before 12.0.45, before 13.0.10, before 14.0.10; Intel TXE before 3.1.70, before 4.0.20
| VAR-201912-1814 | CVE-2019-11097 | Intel(R) Management Engine Consumer Drivers and TXE Inappropriate default permission vulnerability |
CVSS V2: 4.6 CVSS V3: 7.8 Severity: HIGH |
Improper directory permissions in the installer for Intel(R) Management Engine Consumer Driver for Windows before versions 11.8.70, 11.11.70, 11.22.70, 12.0.45,13.0.10 and 14.0.10; Intel(R) TXE before versions 3.1.70 and 4.0.20 may allow an authenticated user to potentially enable escalation of privilege via local access. Intel(R) Management Engine Consumer Drivers and TXE Contains a vulnerability with inappropriate default permissions.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Both Intel TXE and Intel Management Engine Consumer Driver are products of Intel Corporation of the United States. Intel TXE is a trusted execution engine with hardware authentication function used in CPU (Central Processing Unit). Intel Management Engine Consumer Driver is a management engine Consumer driver. A security vulnerability exists in the installer of Intel TXE and the Intel Management Engine Consumer Driver for Windows-based platforms. A local attacker could exploit this vulnerability to elevate privileges. The following products and versions are affected: Intel Management Engine Consumer Driver prior to 11.8.70, prior to 11.11.70, prior to 11.22.70, prior to 12.0.45, prior to 13.0.10, prior to 14.0.10; Intel TXE Versions before 3.1.70 and versions before 4.0.20
| VAR-201912-1760 | CVE-2019-11086 | Intel(R) AMT Input validation vulnerability |
CVSS V2: 4.6 CVSS V3: 6.8 Severity: MEDIUM |
Insufficient input validation in subsystem for Intel(R) AMT before version 12.0.45 may allow an unauthenticated user to potentially enable escalation of privilege via physical access. Intel(R) AMT Contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Intel Active Management Technology (AMT) is a set of hardware-based computer remote active management technology software developed by Intel Corporation. An attacker in physical proximity could exploit this vulnerability to elevate privileges
| VAR-201912-1826 | CVE-2019-11109 | Intel(R) SPS Vulnerability in |
CVSS V2: 4.6 CVSS V3: 4.4 Severity: MEDIUM |
Logic issue in the subsystem for Intel(R) SPS before versions SPS_E5_04.01.04.275.0, SPS_SoC-X_04.00.04.100.0 and SPS_SoC-A_04.00.04.191.0 may allow a privileged user to potentially enable denial of service via local access. Intel(R) SPS Has unspecified vulnerabilities.Service operation interruption (DoS) There is a possibility of being put into a state. Intel Server Platform Services (SPS) is a server platform service program of Intel Corporation. Security vulnerabilities exist in the subsystems of Intel SPS versions prior to SPS_E5_04.01.04.275.0, SPS_SoC-X_04.00.04.100.0 and SPS_SoC-A_04.00.04.191.0. A local attacker could exploit this vulnerability to cause a denial of service
| VAR-201912-1828 | CVE-2019-11147 | plural Intel Product vulnerabilities |
CVSS V2: 4.6 CVSS V3: 7.8 Severity: HIGH |
Insufficient access control in hardware abstraction driver for MEInfo software for Intel(R) CSME before versions 11.8.70, 11.11.70, 11.22.70, 12.0.45, 13.0.0, 14.0.10; TXEInfo software for Intel(R) TXE before versions 3.1.70 and 4.0.20; INTEL-SA-00086 Detection Tool version 1.2.7.0 or before; INTEL-SA-00125 Detection Tool version 1.0.45.0 or before may allow an authenticated user to potentially enable escalation of privilege via local access. plural Intel There are unspecified vulnerabilities in the product.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Intel Converged Security and Management Engine (CSME) and others are products of Intel Corporation of the United States. Intel Converged Security and Management Engine is a security management engine. Intel TXE is a trusted execution engine with hardware authentication function used in CPU (Central Processing Unit). INTEL-SA-00086 Detection Tool is a detection tool for detecting INTEL-SA-00086 security issues. A security vulnerability exists in several Intel products. The vulnerability is caused by the program's insufficient access control. A local attacker could exploit this vulnerability to elevate privileges. The following products and versions are affected: Intel CSME before 11.8.70, before 11.11.70, before 11.22.70, before 12.0.45, before 13.0.0, before 14.0.10; Intel TXE 3.1.70 Previous versions, versions before 4.0.20; INTEL-SA-00086 Detection Tool 1.2.7.0 and earlier versions; INTEL-SA-00125 Detection Tool 1.0.45.0 and earlier versions
| VAR-201912-1827 | CVE-2019-11110 | Intel(R) CSME and TXE Authentication vulnerability |
CVSS V2: 4.6 CVSS V3: 6.7 Severity: MEDIUM |
Authentication bypass in the subsystem for Intel(R) CSME before versions 11.8.70, 11.11.70, 11.22.70, 12.0.45, 13.0.10 and 14.0.10; Intel(R) TXE before versions 3.1.70 and 4.0.20 may allow a privileged user to potentially enable escalation of privilege via local access. Intel(R) CSME and TXE Contains an authentication vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Both Intel Converged Security and Management Engine (CSME) and Intel TXE are products of Intel Corporation of the United States. Intel Converged Security and Management Engine is a security management engine. Intel TXE is a trusted execution engine with hardware authentication function used in CPU (Central Processing Unit). Security vulnerabilities exist in subsystems in Intel CSME and Intel TXE. A local attacker could exploit this vulnerability to bypass authentication and elevate privileges. The following products and versions are affected: Intel CSME before 11.8.70, before 11.11.70, before 11.22.70, before 12.0.45, before 13.0.10, before 14.0.10; Intel TXE 3.1.70 Previous versions, versions before 4.0.20