Insufficient control flow management in subsystem for Intel(R) CSME versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70, 13.0.40, 13.30.10, 14.0.45 and 14.5.25 , Intel(R) TXE versions before 3.1.80 and 4.0.30 may allow an unauthenticated user to potentially enable escalation of privilege via physical access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**2020.2 IPU – Intel® CSME, SPS, TXE, AMT and DAL Advisory**

Intel ID:

INTEL-SA-00391

Advisory Category:

Firmware, Software

Impact of vulnerability:

Escalation of Privilege, Denial of Service, Information Disclosure

Severity rating:

CRITICAL

Original release:

11/10/2020

Last revised:

5/12/2022

**Summary: **

Potential security vulnerabilities in Intel® Converged Security and Manageability Engine (CSME), Server Platform Services (SPS), Intel® Trusted Execution Engine (TXE), Intel® Dynamic Application Loader (DAL), Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM) and Intel® Dynamic Application Loader (Intel® DAL) may allow escalation of privilege, denial of service or information disclosure.  Intel is releasing firmware and software updates to mitigate these potential vulnerabilities.

Intel is not releasing updates to mitigate a potential vulnerability and has issued a Product Discontinuation Notice for Intel® DAL SDK.

**Vulnerability Details:**

CVEID: CVE-2020-8752

Description: Out-of-bounds write in IPv6 subsystem for Intel(R) AMT, Intel(R) ISM versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70, 14.0.45 may allow an unauthenticated user to potentially enable escalation of privileges via network access.

CVSS Base Score: 9.4 Critical

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

CVEID: CVE-2020-8753

Description: Out-of-bounds read in DHCP subsystem for Intel(R) AMT, Intel(R) ISM versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70 and 14.0.45 may allow an unauthenticated user to potentially enable information disclosure via network access.

CVSS Base Score: 8.2 High

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

CVEID: CVE-2020-12297

Description: Improper access control in Installer for Intel(R) CSME Driver for Windows versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70, 13.0.40, 13.30.10, 14.0.45 and 14.5.25, Intel TXE 3.1.80, 4.0.30 may allow an authenticated user to potentially enable escalation of privileges via local access.

CVSS Base Score: 8.2 High

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CVEID: CVE-2020-12304

Description: Improper access control in Installer for Intel(R) DAL SDK before version 2.1 for Windows   may allow an authenticated user to potentially enable escalation of privileges via local access.

CVSS Base Score: 8.2 High

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CVEID: CVE-2020-8745

Description: Insufficient control flow management in subsystem for Intel(R) CSME versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70, 13.0.40, 13.30.10, 14.0.45 and 14.5.25 , Intel(R) TXE versions before 3.1.80 and 4.0.30 may allow an unauthenticated user to potentially enable escalation of privilege via physical access.

CVSS Base Score: 7.3 High

CVSS Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

CVEID: CVE-2020-8744

Description: Improper initialization in subsystem for Intel(R) CSME versions before12.0.70, 13.0.40, 13.30.10, 14.0.45 and 14.5.25, Intel® TXE versions before 4.0.30 Intel(R) SPS versions before E3\_05.01.04.200 may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.2 High

CVSS Vector:  CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N

CVEID: CVE-2020-8705

Description: Insecure default initialization of resource in Intel(R) Boot Guard in Intel(R) CSME versions before 11.8.82, 11.12.82, 11.22.82, 12.0.70, 13.0.40, 13.30.10, 14.0.45 and 14.5.25, Intel(R) TXE versions before 3.1.80 and 4.0.30, Intel(R) SPS versions before E5\_04.01.04.400, E3\_04.01.04.200, SoC-X\_04.00.04.200 and SoC-A\_04.00.04.300  may allow an unauthenticated user to potentially enable escalation of privileges via physical access.

CVSS Base Score: 7.1 High

CVSS Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2020-8750

Description: Use after free in Kernel Mode Driver for Intel(R) TXE versions before 3.1.80 and 4.0.30 may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.0 High

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVEID: CVE-2020-12303

Description: Use after free in DAL subsystem for Intel(R) CSME versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70, 13.0.40, 13.30.10, 14.0.45 and 14.5.25, Intel® TXE 3.1.80, 4.0.30 may allow an authenticated user to potentially enable escalation of privileges via local access.

CVSS Base Score: 7.0 High

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE ID: CVE-2020-12354

Description: Incorrect default permissions in Windows(R) installer in Intel(R) AMT SDK versions before 14.0.0.1 may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 6.7 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

CVEID: CVE-2020-8757

Description: Out-of-bounds read in subsystem for Intel(R) AMT versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70 and 14.0.45 may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 6.3 Medium

CVSS Vector:  CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L

CVEID: CVE-2020-8756

Description: Improper input validation in subsystem for Intel(R) CSME versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70 and 14.0.45 may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 6.3 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L

CVEID: CVE-2020-8760

Description: Integer overflow in subsystem for Intel(R) AMT versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70, 14.0.45 may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 6.0 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L

CVE ID: CVE-2020-12355

Description: Authentication bypass by capture-replay in RPMB protocol message authentication subsystem in Intel(R) TXE versions before 4.0.30 may allow an unauthenticated user to potentially enable escalation of privilege via physical access.

CVSS Base Score: 5.3 Medium

CVSS Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

CVEID: CVE-2020-8751

Description: Insufficient control flow management in subsystem for Intel(R) CSME versions before 11.8.80, Intel(R) TXE versions before 3.1.80 may allow an unauthenticated user to potentially enable information disclosure via physical access.

CVSS Base Score: 5.3 Medium

CVSS Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CVEID: CVE-2020-8754

Description: Out-of-bounds read in subsystem for Intel(R) AMT, Intel(R) ISM versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70 and 14.0.45 may allow an unauthenticated user to potentially enable information disclosure via network access.

CVSS Base Score: 5.3 Medium

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVEID: CVE-2020-8761

Description: Inadequate encryption strength in subsystem for Intel(R) CSME versions before 13.0.40 and 13.30.10 may allow an unauthenticated user to potentially enable information disclosure via physical access.

CVSS Base Score: 4.9 Medium

CVSS Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

CVEID: CVE-2020-8747

Description: Out-of-bounds read in subsystem for Intel(R) AMT versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70 and 14.0.45 may allow an unauthenticated user to potentially enable information disclosure and/or denial of service via network access.

CVSS Base Score: 4.8 Medium

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L

CVEID: CVE-2020-8755

Description: Race condition in subsystem for Intel(R) CSME versions before 12.0.70 and 14.0.45, Intel(R) SPS versions before E5\_04.01.04.400 and E3\_05.01.04.200 may allow an unauthenticated user to potentially enable escalation of privilege via physical access.

CVSS Base Score: 4.6 Medium

CVSS Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVE ID: CVE-2020-12356

Description: Out-of-bounds read in subsystem in Intel(R) AMT versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70 and 14.0.45 may allow a privileged user to potentially enable information disclosure via local access.

CVSS Base Score: 4.4 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CVEID: CVE-2020-8746

Description: Integer overflow in subsystem for Intel(R) AMT versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70 and 14.0.45 may allow an unauthenticated user to potentially enable denial of service via adjacent access.

CVSS Base Score: 4.3 Medium

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVEID: CVE-2020-8749

Description: Out-of-bounds read in subsystem for Intel(R) AMT versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70 and 14.0.45 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.

CVSS Base Score: 4.2 Medium

CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

**Affected Products:**

*   Intel® CSME and Intel® AMT versions before 11.8.82, 11.12.82, 11.22.82, 12.0.70, 13.0.40, 13.30.10, 14.0.45 and 14.5.25.

*   Intel® TXE versions before 3.1.80 and 4.0.30.

*   Intel® Server Platform Services firmware versions before SPS\_E5\_04.01.04.400, SPS\_E3\_05.01.04.200, SPS\_E3\_04.01.04.200, SPS\_SoC-X\_04.00.04.200 and SPS\_SoC-A\_04.00.04.300.  
    

The following CVEs assigned by Intel, correspond to a subset of the CVEs disclosed on 12/18/2020 as part of ICSA-20-353-01:

Disclosed in INTEL-SA-00391

Disclosed in ICSA-20-353-01

CVE-2020-8752

CVE-2020-27337

CVE-2020-8753

CVE-2020-27338

CVE-2020-8754

CVE-2020-27336

Note: Firmware versions of Intel® ME 3.x thru 10.x, Intel® TXE 1.x thru 2.x, and Intel® Server Platform Services 1.x thru 2.X are no longer supported versions. There is no new general release planned for these versions.

**Recommendations:**

Intel recommends that users of Intel® CSME, Intel® TXE, Intel® AMT and Intel® SPS update to the latest version provided by the system manufacturer that addresses these issues.

The Intel® AMT SDK is available for download here. 

Intel has issued a Product Discontinuation notice for the Intel® DAL SDK and recommends that users of the Intel® DAL SDK uninstall it or discontinue use at their earliest convenience.

**Acknowledgements:**

Intel would like to thank Trammell Hudson (CVE-2020-8705), Marius Gabriel Mihai (CVE-2020-12354, CVE-2020-12304), Oussama Sahnoun (CVE-2020-12297), Rotem Sela and Brian Mastenbrook (CVE-2020-12355) for reporting these issues.

The additional issues were found internally by Intel employees. Intel would like to thank Arie Haenel, Aviya Erenfeld, Binyamin Belaciano, Dmitry Piotrovsky, Julien Lenoir, Niv Israely, Ofek Mostovoy, Yakov Cohen and Yossef Kuszer.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

11/10/2020

Initial Release

1.1

12/30/2020

Revisions to CVE-2020-8705 and affected product versions.

1.2

01/22/2021

Added ICSA-20-353-01 reference

1.3

05/12/2022

Updated Acknowledgments 

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2020-8745: INTEL-SA-00391

Inappropriate implementation in V8 in Google Chrome prior to 86.0.4240.183 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

**Chrome Releases**

Release updates from the Chrome team

CVE-2020-16009: Stable Channel Update for Desktop

This affects versions of package browserless-chrome before 1.40.2-chrome-stable. User input flowing from the workspace endpoint gets used to create a file path filePath and this is fetched and then sent back to a user. This can be escaped to fetch arbitrary files from a server.

A Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with "dot-dot-slash (../)" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.

Directory Traversal vulnerabilities can be generally divided into two types:

*   **Information Disclosure**: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.

st is a module for serving static files on web pages, and contains a vulnerability of this type. In our example, we will serve files from the public route.

If an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.

    curl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa
    

**Note** %2e is the URL encoded version of . (dot).

*   **Writing arbitrary files**: Allows the attacker to create or replace existing files. This type of vulnerability is also known as Zip-Slip.

One way to achieve this is by using a malicious zip archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.

The following is an example of a zip archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in /root/.ssh/ overwriting the authorized_keys file:

    2018-04-15 22:04:29 .....           19           19  good.txt
    2018-04-15 22:04:42 .....           20           20  ../../../../../../root/.ssh/authorized_keys

CVE-2020-7758: Snyk Vulnerability Database | Snyk

The SIP ALG implementation on NETGEAR Nighthawk R7000 1.0.9.64_10.2.64 devices allows remote attackers to communicate with arbitrary TCP and UDP services on a victim's intranet machine, if the victim visits an attacker-controlled web site with a modern browser, aka NAT Slipstreaming. This occurs because the ALG takes action based on an IP packet with an initial REGISTER substring in the TCP data, and the correct intranet IP address in the subsequent Via header, without properly considering that connection progress and fragmentation affect the meaning of the packet data.

CVE-2020-28041: GitHub - samyk/slipstream: NAT Slipstreaming allows an attacker to remotely access any TCP/UDP services bound to a victim machine, bypassing the victim’s NAT/firewall, just by anyone on the victim's n

Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource.

CVE-2020-24303: grafana/CHANGELOG.md at main · grafana/grafana

Pagure before 5.6 allows XSS via the templates/blame.html blame view.

CVE-2019-11556: Changelog — pagure documentation

Insufficient policy enforcement in installer in Google Chrome on OS X prior to 85.0.4183.102 allowed a local attacker to potentially achieve privilege escalation via a crafted binary.

CVE-2020-6574: Stable Channel Update for Desktop

Insufficient validation of untrusted input in command line handling in Google Chrome on Windows prior to 85.0.4183.83 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.

CVE-2020-6567

Insufficient policy enforcement in autofill in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

CVE-2020-6560: Stable Channel Update for Desktop

Razer Chroma SDK Rest Server through 3.12.17 allows remote attackers to execute arbitrary programs because there is a race condition in which a file created under "%PROGRAMDATA%\Razer Chroma\SDK\Apps" can be replaced before it is executed by the server. The attacker must have access to port 54236 for a registration step.

**Introduction**

This document describes the **REST** **API** (Application Programming Interface) and the core components that are required to develop and run a Chroma-enabled application.

**URI**

The Chroma SDK RESTful server has the following URI http://localhost:54235/razer/chromasdk and https://chromasdk.io:54236/razer/chromasdk . Send a **POST** with the application information to this **URI** to get an instance URI. Send a **GET** will return the current Chroma SDK version that is present in the system.

**Keeping the connection alive**

The Chroma SDK RESTful server has a default time out of 15 secs for each connections. The client must maintain the connection by sending commands to the server within this time out value, if not the server will close the connection. For example sending **PUT** periodically (1s) to http://localhost:123456/chromasdk/heartbeat .

Tag

#chrome