An exploitable use-after-free vulnerability exists in WPS Spreadsheets ( ET ) as part of WPS Office, version 11.2.0.10351. A specially-crafted XLS file can cause a use-after-free condition, resulting in remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability.

**Summary**

An exploitable use-after-free vulnerability exists in WPS Spreadsheets ( ET ) as part of WPS Office, version 11.2.0.10351. A specially-crafted XLS file can cause a use-after-free condition, resulting in remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability.

**Tested Versions**

WPS Office 11.2.0.10351

**Product URLs**

WPS Office - https://www.wps.com/

**CVSSv3 Score**

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-416 - Use After Free

**Details**

WPS Office previously known as a Kingsoft Office is a suite of tools used for productivity in both a corporate environment as well as by end-users. It offers a range of tools that can be used for various purposes. Such as WPS Spreadsheets for spreadsheets, WPS Writer for document editing, and so on.

A specially-crafted XLS file written in a proper form of HTML/XML tags can lead to a use-after-free vulnerability and remote code execution. Let us run our malformed xls file in ET.exe using debugger:

    (6a4.1674): Access violation - code c0000005 (first/second chance not available)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    Time Travel Position: 6E147E:0
    eax=00000000 ebx=0d4eeeb8 ecx=00000000 edx=00000000 esi=1ccb5dcb edi=5f06dfb8
    eip=0228282b esp=0d4eedb0 ebp=0d4eee58 iopl=0         nv up ei pl nz na po nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
    0228282b 006200          add     byte ptr [edx],ah          ds:002b:00000000=??
    
    
    0:011> kb
     # ChildEBP RetAddr      Args to Child              
    WARNING: Frame IP not in any known module. Following frames may be wrong.
    00 0d4eee58 0dd5b0b8     00000000 06dbd130 06dbd170 0x228282b
    01 0d4eef20 5f0b0a75     1ccb432f 07b5f1a0 00000000 0xdd5b0b8
    02 0d4ef310 5f0afba4     07b6b670 00000000 1ccb45df html2!html2::HtmlParser::parseStream+0x75
    03 0d4ef5e0 5f2fd0e0     00f6d814 00000001 0d4ef694 html2!html2::HtmlParser::parse+0x2a4
    04 0d4ef8b4 5f2d41ef     00f6d814 06d81ea8 00000000 ethtmlrw2!html2::StrmUtf8Converter::~StrmUtf8Converter+0x42b0
    05 0d4ef8f0 5f2d4bf9     06bdbd40 5f2d5f3f f114ab06 ethtmlrw2!chart::KETChartDataSourceProvider::getContextOOXML+0xbf
    06 0d4ef920 75a64f9f     07a63158 45279ebd 75a64f60 ethtmlrw2!chart::KETChartDataSourceProvider::getContextOOXML+0xac9
    07 0d4ef958 776ffa29     075b0798 776ffa10 0d4ef9c4 ucrtbase!thread_start<unsigned int (__stdcall*)(void *),1>+0x3f
    08 0d4ef968 77847a9e     075b0798 02cb572f 00000000 KERNEL32!BaseThreadInitThunk+0x19
    09 0d4ef9c4 77847a6e     ffffffff 77868a4e 00000000 ntdll!__RtlUserThreadStart+0x2f
    0a 0d4ef9d4 00000000     75a64f60 075b0798 00000000 ntdll!_RtlUserThreadStart+0x1b
    

Looks like execution flow has been redirected into a non-executable area:

    0:011> !address 0228282b
    
    Usage:                  <unknown>
    Base Address:           02270000
    End Address:            022da000
    Region Size:            0006a000 ( 424.000 kB)
    State:                  00001000          MEM_COMMIT
    Protect:                00000004          PAGE_READWRITE
    Type:                   00020000          MEM_PRIVATE
    Allocation Base:        02270000
    Allocation Protect:     00000001          PAGE_NOACCESS
    

Let’s check the memory content: 0:011> db 02282828 02282828 74 00 61 00 62 00 6c 00-65 00 00 00 74 00 62 00 t.a.b.l.e…t.b. 02282838 6f 00 64 00 79 00 00 00-74 00 66 00 6f 00 6f 00 o.d.y…t.f.o.o. 02282848 74 00 00 00 74 00 68 00-65 00 61 00 64 00 00 00 t…t.h.e.a.d… 02282858 6c 00 6f 00 63 00 6b 00-00 00 00 00 70 00 61 00 l.o.c.k…..p.a. 02282868 74 00 68 00 00 00 00 00-73 00 6b 00 65 00 77 00 t.h…..s.k.e.w. 02282878 00 00 00 00 67 00 72 00-6f 00 75 00 70 00 00 00 ….g.r.o.u.p… 02282888 6f 00 76 00 61 00 6c 00-00 00 00 00 63 00 75 00 o.v.a.l…..c.u. 02282898 72 00 76 00 65 00 00 00-72 00 67 00 62 00 28 00 r.v.e…r.g.b.(. 0:011> du 02282828 02282828 “table”

We can clearly see that indeed program execution ended in a non executable area (data). When we take a few steps back to see the moment of a code execution redirection we see the following code:

    0:011> r
    eax=0228bea0 ebx=0228bed0 ecx=0228bed0 edx=013e0000 esi=0dd5bd78 edi=0d4eee58
    eip=5f06dfb5 esp=0d4eed94 ebp=0d4eedf4 iopl=0         nv up ei pl nz na po nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
    html2!html2::HtmBoxRefOperator::imitateBoxFlags+0x365:
    5f06dfae 8b5d08         mov     ebx, dword ptr [ebp+8]
    5f06dfb1 8bcb           mov     ecx, ebx
    5f06dfb3 8b03           mov     eax, dword ptr [ebx]	
    5f06dfb5 ff5034         call    dword ptr [eax+34h]  ds:002b:0228bed4=02282828
    

Looks like a typical call to one of the virtual functions. It is highly probable that the object has been released before and a vftable pointer 0228bed0 has been overwritten. Setting a write access breakpoint on 0228bed0, let’s execute our software again:

    0:011> g-
    Breakpoint 0 hit
    Time Travel Position: 6E1064:A7
    eax=0228bea0 ebx=0228bed0 ecx=00a6e000 edx=0000000b esi=01437c70 edi=06cd5a98
    eip=6a437c7d esp=0d4eec08 ebp=0d4eec14 iopl=0         nv up ei pl nz na po nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
    kso!mfxGlobalFree2+0x5d:
    6a437c7d 8b4704          mov     eax,dword ptr [edi+4] ds:002b:06cd5a9c=00000055
    0:011> kb
     # ChildEBP RetAddr      Args to Child              
    WARNING: Stack unwind information not available. Following frames may be wrong.
    00 0d4eec14 5f06d818     0000000b 00000030 1ccb5c03 kso!mfxGlobalFree2+0x5d
    01 0d4eec3c 5f0b649f     1ccb5c53 0d4ef078 07ba5174 html2!html2::HtmCreator::createXmlNodesRef+0x4f8
    02 0d4eec6c 5f0c22c0     07ba5174 0d4eef38 0d4eef38 html2!html2::StrIdSet::gainLower+0xbf
    03 0d4eec90 5f0c8d34     022812e0 07b60f01 5f0c90f0 html2!html2::ParserContext::urlStack+0xac00
    04 0d4eeca4 5f0c8a47     022812e0 00000000 07b60f01 html2!html2::ParserContext::urlStack+0x11674
    05 0d4eecd0 5f0c6dfc     022812e0 07b60f01 0d4eef38 html2!html2::ParserContext::urlStack+0x11387
    06 0d4eecf8 5f0c8a96     00020000 00000001 0d4ef3f4 html2!html2::ParserContext::urlStack+0xf73c
    07 0d4eed20 5f0c6dfc     022812f0 07b60f01 0d4eef38 html2!html2::ParserContext::urlStack+0x113d6
    08 0d4eed48 5f0c7c40     00084404 00000000 00000000 html2!html2::ParserContext::urlStack+0xf73c
    09 0d4eed70 5f0c4d7c     022812f0 00000000 00000001 html2!html2::ParserContext::urlStack+0x10580
    0a 0d4eed90 5f0b24da     022812f0 00000000 07ba6ff0 html2!html2::ParserContext::urlStack+0xd6bc
    0b 0d4eedc8 5f0b32f0     07b6b670 07b15e70 0d4ef668 html2!html2::HtmDocument::topBoxs+0x197a
    0c 0d4eee00 5f0b2271     1ccb5e07 07b6b670 0d4eef38 html2!html2::HtmDocument::topBoxs+0x2790
    0d 0d4eee38 5f0cb8c5     00000003 0074683c 0d4eef38 html2!html2::HtmDocument::topBoxs+0x1711
    0e 0d4eef20 5f0b0a75     1ccb432f 07b5f1a0 00000000 html2!html2::ParserContext::urlStack+0x14205
    0f 0d4ef310 5f0afba4     07b6b670 00000000 1ccb45df html2!html2::HtmlParser::parseStream+0x75
    10 0d4ef5e0 5f2fd0e0     00f6d814 00000001 0d4ef694 html2!html2::HtmlParser::parse+0x2a4
    11 0d4ef8b4 5f2d41ef     00f6d814 06d81ea8 00000000 ethtmlrw2!html2::StrmUtf8Converter::~StrmUtf8Converter+0x42b0
    12 0d4ef8f0 5f2d4bf9     06bdbd40 5f2d5f3f f114ab06 ethtmlrw2!chart::KETChartDataSourceProvider::getContextOOXML+0xbf
    13 0d4ef920 75a64f9f     07a63158 45279ebd 75a64f60 ethtmlrw2!chart::KETChartDataSourceProvider::getContextOOXML+0xac9
    14 0d4ef958 776ffa29     075b0798 776ffa10 0d4ef9c4 ucrtbase!thread_start<unsigned int (__stdcall*)(void *),1>+0x3f
    15 0d4ef968 77847a9e     075b0798 02cb572f 00000000 KERNEL32!BaseThreadInitThunk+0x19
    16 0d4ef9c4 77847a6e     ffffffff 77868a4e 00000000 ntdll!__RtlUserThreadStart+0x2f
    17 0d4ef9d4 00000000     75a64f60 075b0798 00000000 ntdll!_RtlUserThreadStart+0x1b
    

Our hypothesis has been confirmed. What’s important for us here is that the object has been released via a call to kso!mfxGlobalFree2. If we track its allocation :

    dx -r1 -g @$cursession.TTD.Calls("kso!mfxGlobalAlloc2").Where( x => x.ReturnValue == `0x0228bed0`)
    

We get additional information that our object represents a table:

    .text:5F06CEF0 public: static struct html2::HtmTable * __cdecl html2::HtmCreator::createHtmTableAlt(void) proc near
    .text:5F06CEF0                 push    30h ; '0'
    .text:5F06CEF2                 call    mfxGlobalAlloc2
    .text:5F06CEF7                 mov     dword ptr [eax], offset const html2::HtmTableAltImpl::`vftable'
    .text:5F06CEFD                 mov     dword ptr [eax+4], 0
    .text:5F06CF04                 mov     dword ptr [eax+8], 0
    .text:5F06CF0B                 mov     dword ptr [eax+0Ch], 0
    .text:5F06CF12                 mov     dword ptr [eax+10h], 0
    .text:5F06CF19                 mov     dword ptr [eax+14h], 0
    .text:5F06CF20                 mov     dword ptr [eax+18h], 0
    .text:5F06CF27                 mov     dword ptr [eax+1Ch], 0
    .text:5F06CF2E                 mov     dword ptr [eax+20h], 0
    .text:5F06CF35                 mov     dword ptr [eax+24h], 0
    .text:5F06CF3C                 mov     dword ptr [eax+28h], 0
    .text:5F06CF43                 mov     word ptr [eax+2Ch], 0
    .text:5F06CF49                 retn	
    
    0:011> r
    eax=`0228bed0` ebx=07ba51b4 ecx=0228bed0 edx=00000037 esi=07ba51b4 edi=079b1810
    eip=5f06cef7 esp=0d4eebf0 ebp=0d4eec68 iopl=0         nv up ei pl nz na pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
    html2!html2::HtmCreator::createHtmTableAlt+0x7:
    5f06cef7 c700b0be105f    mov     dword ptr [eax],offset html2::HtmTableAltImpl::`vftable' (5f10beb0) ds:002b:0228bed0=0228bf00	
    

Proper heap grooming can give an attacker full control of this use-after-free vulnerability and as a result could allow it to be turned into arbitrary code execution.

**Crash Information**

    (6a4.1674): Break instruction exception - code 80000003 (first/second chance not available)
    Time Travel Position: 6E147D:7D
    eax=0228bea0 ebx=0228bed0 ecx=0228bed0 edx=013e0000 esi=0dd5bd78 edi=0d4eee58
    eip=5f06dfb5 esp=0d4eed94 ebp=0d4eedf4 iopl=0         nv up ei pl nz na po nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
    html2!html2::HtmBoxRefOperator::imitateBoxFlags+0x365:
    5f06dfb5 ff5034          call    dword ptr [eax+34h]  ds:002b:0228bed4=02282828
    0:011> g
    (6a4.1674): Access violation - code c0000005 (first/second chance not available)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    Time Travel Position: 6E147E:0
    eax=00000000 ebx=0d4eeeb8 ecx=00000000 edx=00000000 esi=1ccb5dcb edi=5f06dfb8
    eip=0228282b esp=0d4eedb0 ebp=0d4eee58 iopl=0         nv up ei pl nz na po nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
    0228282b 006200          add     byte ptr [edx],ah          ds:002b:00000000=??
    0:011> kb
     # ChildEBP RetAddr      Args to Child              
    WARNING: Frame IP not in any known module. Following frames may be wrong.
    00 0d4eee58 0dd5b0b8     00000000 06dbd130 06dbd170 0x228282b
    01 0d4eef20 5f0b0a75     1ccb432f 07b5f1a0 00000000 0xdd5b0b8
    02 0d4ef310 5f0afba4     07b6b670 00000000 1ccb45df html2!html2::HtmlParser::parseStream+0x75
    03 0d4ef5e0 5f2fd0e0     00f6d814 00000001 0d4ef694 html2!html2::HtmlParser::parse+0x2a4
    04 0d4ef8b4 5f2d41ef     00f6d814 06d81ea8 00000000 ethtmlrw2!html2::StrmUtf8Converter::~StrmUtf8Converter+0x42b0
    05 0d4ef8f0 5f2d4bf9     06bdbd40 5f2d5f3f f114ab06 ethtmlrw2!chart::KETChartDataSourceProvider::getContextOOXML+0xbf
    06 0d4ef920 75a64f9f     07a63158 45279ebd 75a64f60 ethtmlrw2!chart::KETChartDataSourceProvider::getContextOOXML+0xac9
    07 0d4ef958 776ffa29     075b0798 776ffa10 0d4ef9c4 ucrtbase!thread_start<unsigned int (__stdcall*)(void *),1>+0x3f
    08 0d4ef968 77847a9e     075b0798 02cb572f 00000000 KERNEL32!BaseThreadInitThunk+0x19
    09 0d4ef9c4 77847a6e     ffffffff 77868a4e 00000000 ntdll!__RtlUserThreadStart+0x2f
    0a 0d4ef9d4 00000000     75a64f60 075b0798 00000000 ntdll!_RtlUserThreadStart+0x1b
    
    0:011> lmDvmet
    Browse full module list
    start    end        module name
    00d20000 00e6b000   et         (export symbols)       et.exe
        Loaded symbol image file: et.exe
        Mapped memory image file: c:\Users\icewall\AppData\Local\Kingsoft\WPS Office\11.2.0.10351\office6\et.exe
        Image path: c:\Users\icewall\AppData\Local\Kingsoft\WPS Office\11.2.0.10351\office6\et.exe
        Image name: et.exe
        Browse all global symbols  functions  data
        Timestamp:        Sat Oct 23 14:16:30 2021 (6173FD1E)
        CheckSum:         00153DB1
        ImageSize:        0014B000
        File version:     11.2.0.10351
        Product version:  11.2.0.10351
        File flags:       0 (Mask 3F)
        File OS:          40004 NT Win32
        File type:        0.0 Unknown
        File date:        00000000.00000000
        Translations:     0000.04b0
        Information from resource tables:
            CompanyName:      Zhuhai Kingsoft Office Software Co.,Ltd
            ProductName:      WPS Office
            InternalName:     et
            OriginalFilename: et.exe
            ProductVersion:   11,2,0,10351
            FileVersion:      11,2,0,10351
            FileDescription:  WPS Spreadsheets
            LegalCopyright:   Copyright©2021 Kingsoft Corporation. All rights reserved.
    

**Vendor Response**

For international edition: https://www.wps.com/office/windows/ For domestic personal edition: https://official-package.wpscdn.cn/wps/download/WPS\_Setup\_11691.exe For enterprise edition: https://wps-cn-ep.ks3-cn-beijing.ksyun.com/wps/download/ep/WPS2019/WPSPro\_11.8.2.11542.exe If you need to get the WPS official disclosure about the vulnerability, you can visit this link: https://security.wps.cn/notices/28

https://official-package.wpscdn.cn/wps/download/WPS\_Setup\_11691.exe

**Timeline**

2021-11-18 - Vendor disclosure  
2021-12-15 - 30 day follow up  
2022-01-07 - 60 day follow up  
2022-01-13 - Reissued copies of advisories to vendor per request  
2022-04-02 - Talos granted disclosure extension  
2022-05-02 - Vendor patched  
2022-05-09 - Public Release  

Discovered by Marcin "Icewall" Noga of Cisco Talos.

CVE-2021-40399: TALOS-2021-1412 || Cisco Talos Intelligence Group

Insufficient control flow management in the Intel(R) Advisor software before version 7.6.0.37 may allow an authenticated user to potentially enable escalation of privilege via local access.

**Select Your Region**

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® Advisor Advisory**

**Summary: **

A potential security vulnerability in the Intel® Advisor software may allow escalation of privilege.  Intel is releasing software updates to mitigate this potential vulnerability.

**Vulnerability Details:**

CVEID: CVE-2022-21128

Description: Insufficient control flow management in the Intel(R) Advisor software before version 7.6.0.37 may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 6.7 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

**Affected Products:**

Intel® Advisor software before version 7.6.0.37.

**Recommendations:**

Intel recommends updating the Intel® Advisor software to version 7.6.0.37 or later.

Updates are available for download at these locations: Intel® Advisor is available as a standalone installation and as part of the Intel® oneAPI Base Toolkit.

**Acknowledgements:**

The following issue was found internally by an Intel employee.  Intel would like to thank Alexey Murashov.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

05/10/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  
Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-21128: INTEL-SA-00661

Improper access control for some Intel(R) Xeon(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

**Select Your Region**

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**2022.1 IPU - Intel® Xeon® Advisory**

Intel ID:

INTEL-SA-00616

Advisory Category:

Firmware

Impact of vulnerability:

Denial of Service, Information Disclosure

Severity rating:

LOW

Original release:

05/10/2022

Last revised:

05/10/2022

**Summary:**

Potential security vulnerabilities in some Intel® Xeon® Processors may allow information disclosure or denial of service.  Intel is releasing firmware updates to mitigate these potential vulnerabilities.

**Vulnerability Details:**

CVEID: CVE-2022-21131

Description: Improper access control for some Intel(R) Xeon(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

CVSS Base Score: 3.3 Low

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVEID: CVE-2022-21136

Description: Improper input validation for some Intel(R) Xeon(R) Processors may allow a privileged user to potentially enable denial of service via local access.

CVSS Base Score: 2.7 Low

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L

**Affected Products:**

**Processor**

**CPU ID**

**CVE**

Intel® Xeon Scalable Processors

50653, 50654

CVE-2022-21131, CVE-2022-21136

Intel® Xeon® D-2100 Processor

50654

CVE-2022-21131, CVE-2022-21136

2nd Generation Intel® Xeon® Scalable Processors

50656, 50657

CVE-2022-21131

Intel® Core™ i9, 79xxX, 78xxX

50654

CVE-2022-21131, CVE-2022-21136

**Recommendations:  
**

Intel recommends that users of Intel® Xeon Processors update to the latest version provided by the system manufacturer that addresses these issues

**Acknowledgements:**

CVE-2022-21136 issue was found internally by Intel employees, CVE-2022-21131was found externally.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

05/10/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  
Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-21131: INTEL-SA-00616

An out of bounds read vulnerability exists in the malware scan functionality of ESTsoft Alyac 2.5.7.7. A specially-crafted PE file can trigger this vulnerability to cause denial of service and termination of malware scan. An attacker can provide a malicious file to trigger this vulnerability.

**Summary**

An out of bounds read vulnerability exists in the malware scan functionality of ESTsoft Alyac 2.5.7.7. A specially-crafted PE file can trigger this vulnerability to cause denial of service and termination of malware scan. An attacker can provide a malicious file to trigger this vulnerability.

**Tested Versions**

ESTsoft Alyac 2.5.7.7

**Product URLs**

Alyac - https://www.estsecurity.com/public/product/alyac

**CVSSv3 Score**

5.0 - CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

**CWE**

CWE-823 - Use of Out-of-range Pointer Offset

**Details**

Alyac is an antivirus program for Microsoft Windows, developed by ESTsecurity, which is part of ESTsoft.

There exists a vulnerability in a module called coen.aym used by Alyac when scanning PE executable files. Module coen.aym is reponsible for loading different engines and modules for handling archive formats and initiating the scan. the

While parsing the malformed PE executable file, function sub_180086C30 is called. This function tries to locate the section header of .text section by parsing the PE file. At \[1\] below, rax register stores the address of the PE\0\0 signature.

    .text:0000000180086C69 loc_180086C69:                          ; CODE XREF: sub_180086C30+24↑j
    .text:0000000180086C69                                         ; sub_180086C30+2A↑j
    .text:0000000180086C69                 mov     rax, [rdi+10h]                                   [1]
    .text:0000000180086C6D
    .text:0000000180086C6D loc_180086C6D:                          ; DATA XREF: .rdata:0000000180405CAC↓o
    .text:0000000180086C6D                                         ; .rdata:0000000180405CC8↓o ...
    .text:0000000180086C6D                 mov     [rsp+28h+arg_0], rbx
    .text:0000000180086C72                 xor     ebx, ebx
    .text:0000000180086C74                 mov     [rsp+28h+arg_8], rsi
    .text:0000000180086C79                 mov     [rsp+28h+arg_10], r14
    .text:0000000180086C7E                 cmp     bx, [rax+6]     ; Number of sections             [2]
    .text:0000000180086C82                 jnb     short loc_180086CC1
    .text:0000000180086C84                 mov     r14d, ecx
    .text:0000000180086C87                 nop     word ptr [rax+rax+00000000h]
    .text:0000000180086C90
    .text:0000000180086C90 loc_180086C90:                          ; CODE XREF: sub_180086C30+8F↓j
    .text:0000000180086C90                 lea     rcx, [rbx+rbx*4]
    .text:0000000180086C94                 mov     r8, r14         ; MaxCount
    .text:0000000180086C97                 lea     rsi, ds:0[rcx*8]
    .text:0000000180086C9F                 mov     rdx, rbp        ; String2 ".text"
    .text:0000000180086CA2                 mov     rcx, [rdi+18h]  ;                                [3]
    .text:0000000180086CA6                 add     rcx, rsi        ; String1 SectionHeader->Name
    .text:0000000180086CA9                 call    cs:_strnicmp    ; crash!                         [4]
    .text:0000000180086CAF                 test    eax, eax
    .text:0000000180086CB1                 jz      short loc_180086CDD
    .text:0000000180086CB3                 mov     rax, [rdi+10h]
    .text:0000000180086CB7                 inc     ebx
    .text:0000000180086CB9                 movzx   ecx, word ptr [rax+6]                            
    .text:0000000180086CBD                 cmp     ebx, ecx                                         [5]
    .text:0000000180086CBF                 jb      short loc_180086C90
    

Next, it goes into a loop enumerating each section header to find one with the Name field set as .text. Section table, which follows the PE header, is a list of section headers. Each section header has an 8-byte field at offset +0 to store the name.

RBX register is used as the loop counter, which is initialized to 0. It is compared to the NumberOfSections field in the file header (part of PE header) at \[2,5\] so it does not search beyond number of sections. Inside the loop, the offset to the section header is increased by 40 bytes each iteration, which is equal to the size of the section header. The offset is added to RCX register, which stores the location of the section table from \[3\].

While a check is made to make sure only the specified number of section headers is processed, it doesn’t check if the PE executable file is big enough to store the number of section headers as defined in the file header. So if given a large number of section headers without .text section header, the loop will continue reading until it goes out of bounds of file size, which will eventually cause access violation at \[4\]. This leads to a crash of the Alyac scanning process, which effectively neutralizes the antivirus scan.

**Crash Information**

    0:018> k
    # Child-SP          RetAddr               Call Site
    00 00000053`d1c9e3c8 00007ff8`8b286caf     ucrtbase!_ascii_strnicmp+0xe
    01 00000053`d1c9e3d0 00007ff8`8b23f8ba     coen!Coen_Clean+0x72d1f
    02 00000053`d1c9e400 00007ff8`8b27d32c     coen!Coen_Clean+0x2b92a
    03 00000053`d1c9e4c0 00007ff8`8b27cd06     coen!Coen_Clean+0x6939c
    04 00000053`d1c9e770 00007ff8`8b263534     coen!Coen_Clean+0x68d76
    05 00000053`d1c9e910 00007ff8`8b2191c2     coen!Coen_Clean+0x4f5a4
    06 00000053`d1c9ebb0 00007ff8`8b205a50     coen!Coen_Clean+0x5232
    07 00000053`d1c9ed30 00007ff8`8b213a4a     coen+0x5a50
    08 00000053`d1c9ee70 000001eb`7cddd73e     coen!Coen_ScanHandle+0xba
    09 00000053`d1c9eee0 000001eb`7cdc6907     ecm!GetModuleConfigValue+0x64ae
    0a 00000053`d1c9ef90 000001eb`7cdfa88e     ecm+0x56907
    0b 00000053`d1c9f110 000001eb`7cdd69f0     ecm!GetModuleConfigValue+0x235fe
    0c 00000053`d1c9f1f0 00007ff8`d5632a51     ecm!ScanFile+0x40
    0d 00000053`d1c9f230 00007ff8`d564c219     scn+0x32a51
    0e 00000053`d1c9f350 00007ff8`d564b63f     scn!ForceCloseScan+0xebf9
    0f 00000053`d1c9f850 00007ff8`d564ab3d     scn!ForceCloseScan+0xe01f
    10 00000053`d1c9fa70 00007ff8`eb6c6c0c     scn!ForceCloseScan+0xd51d
    11 00000053`d1c9faa0 00007ff8`ec8654e0     ucrtbase!thread_start<unsigned int (__cdecl*)(void *),1>+0x4c
    12 00000053`d1c9fad0 00007ff8`edec485b     KERNEL32!BaseThreadInitThunk+0x10
    13 00000053`d1c9fb00 00000000`00000000     ntdll!RtlUserThreadStart+0x2b
    

**Vendor Response**

The product was updated to 2.5.7.7

https://www.estsecurity.com/public/product/alyac

**Timeline**

2022-01-31 - Vendor disclosure  
2022-04-12 - Talos reissued copies of report  
2022-04-29 - Vendor patched  
2022-05-10 - Public Release  

Discovered by Jaewon Min of Cisco Talos.

CVE-2022-21147: TALOS-2022-1452 || Cisco Talos Intelligence Group

Improper access control for the Intel(R) Killer(TM) Control Center software before version 2.4.3337.0 may allow an authorized user to potentially enable escalation of privilege via local access.

**Select Your Region**

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® Killer™ Control Center Advisory**

**Summary: **

A potential security vulnerability in the Intel® Killer™ Control Center software may allow escalation of privilege. Intel is releasing software updates to mitigate this potential vulnerability.

**Vulnerability Details:**

CVEID:  CVE-2021-26258

Description: Improper access control for the Intel(R) Killer(TM) Control Center software before version 2.4.3337.0 may allow an authorized user to potentially enable escalation of privilege via local access.

CVSS Base Score: 6.7 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

**Affected Products:**

Intel® Killer™ Control Center software before version 2.4.3337.0.

**Recommendations:**

Intel recommends updating the Intel® Killer™ Control Center software to version 2.4.3337.0 or later.

Updates for Intel® Killer™ products are available for download at this location:

https://www.intel.com/content/www/us/en/download/19779/intel-killer-performance-suite.html

**Acknowledgements:**

Intel would like to thank Michael Myng for reporting this issue.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

05/10/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  
Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2021-26258: INTEL-SA-00644

Improper access control in the Intel(R) In-Band Manageability software before version 2.13.0 may allow a privileged user to potentially enable escalation of privilege via network access.

**Select Your Region**

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® In-Band Manageability Advisory**

**Summary: **

Potential security vulnerabilities in the Intel® In-Band Manageability software may allow escalation of privilege.  Intel is releasing software updates to mitigate these potential vulnerabilities.

**Vulnerability Details:**

CVEID: CVE-2021-0193

Description: Improper authentication in the Intel(R) In-Band Manageability software before version 2.13.0 may allow a privileged user to potentially enable escalation of privilege via network access.

CVSS Base Score: 7.2 HIGH

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVEID: CVE-2021-33108

Description: Improper input validation in the Intel(R) In-Band Manageability software before version 2.13.0 may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 6.7 MEDIUM

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVEID: CVE-2021-0194       

Description: Improper access control in the Intel(R) In-Band Manageability software before version 2.13.0 may allow a privileged user to potentially enable escalation of privilege via network access.

CVSS Base Score: 6.5 MEDIUM

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

**Affected Products:**

Intel® In-Band Manageability before version 2.13.0.

**Recommendations:**

Updates are available for download at this location: https://www.intel.com/content/www/us/en/developer/tools/in-band-manageability/documentation.html

**Acknowledgements:**

These issues were found internally by Intel.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

05/10/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  
Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2021-0194: INTEL-SA-00549

Improper input validation for the Intel(R) Manageability Commander before version 2.2 may allow an authenticated user to potentially enable escalation of privilege via adjacent access.

**Select Your Region**

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® Manageability Commander Advisory**

**Summary: **

A potential security vulnerability in the Intel® Manageability Commander may allow escalation of privilege.  Intel is releasing software updates to mitigate this potential vulnerability.

**Vulnerability Details:**

CVEID: CVE-2021-0126

Description: Improper input validation for the Intel(R) Manageability Commander before version 2.2 may allow an authenticated user to potentially enable escalation of privilege via adjacent access.

CVSS Base Score: 5.5 Medium

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

**Affected Products:**

Intel® Manageability Commander before version 2.2.

**Recommendations:**

Intel recommends updating Intel® Manageability Commander to version 2.2 or later.

Updates are available for download at this location:

https://www.intel.com/content/www/us/en/download/18796/intel-manageability-commander.html

**Acknowledgements:**

This issue was found internally by Intel.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

05/10/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  
Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2021-0126: INTEL-SA-00519

Race condition within a thread in firmware for some Intel(R) Optane(TM) SSD and Intel(R) SSD DC Products may allow a privileged user to potentially enable denial of service via local access.

**Select Your Region**

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® Optane SSD Firmware Advisory**

Intel ID:

INTEL-SA-00563

Advisory Category:

Firmware

Impact of vulnerability:

Escalation of Privilege, Denial of Service, Information Disclosure

Severity rating:

HIGH

Original release:

05/10/2022

Last revised:

05/10/2022

**Summary: **

Potential security vulnerabilities in some Intel® Optane™ SSD and Intel® Optane™ SSD Data Center (DC) products may allow escalation of privilege, denial of service or information disclosure.  Intel is releasing firmware updates and prescriptive guidance to mitigate these potential vulnerabilities.

**Vulnerability Details:**

CVEID: CVE-2021-33078

Description: Race condition within a thread in firmware for some Intel(R) Optane(TM) SSD and Intel(R) SSD DC Products may allow a privileged user to potentially enable denial of service via local access.

CVSS Base Score: 7.9 High

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H

CVEID: CVE-2021-33077

Description: Insufficient control flow management in firmware for some Intel(R) SSD, Intel(R) Optane(TM) SSD and Intel(R) SSD DC Products may allow an unauthenticated user to potentially enable escalation of privilege via physical access.

CVSS Base Score: 7.3 High

CVSS Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

CVEID: CVE-2021-33080

Description: Exposure of sensitive system information due to uncleared debug information in firmware for some Intel(R) SSD DC, Intel(R) Optane(TM) SSD and Intel(R) Optane(TM) SSD DC Products may allow an unauthenticated user to potentially enable information disclosure or escalation of privilege via physical access.

CVSS Base Score: 7.3 High

CVSS Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

CVEID: CVE-2021-33074

Description: Protection mechanism failure in firmware for some Intel(R) SSD, Intel(R) SSD DC and Intel(R) Optane(TM) SSD Products may allow an unauthenticated user to potentially enable information disclosure via physical access.

CVSS Base Score: 6.8 Medium

CVSS Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

CVEID: CVE-2021-33069

Description: Improper resource shutdown or release in firmware for some Intel(R) SSD, Intel(R) SSD DC, Intel(R) Optane(TM) SSD and Intel(R) Optane(TM) SSD DC may allow a privileged user to potentially enable denial of service via local access.

CVSS Base Score: 6.0 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

CVEID: CVE-2021-33075

Description: Race condition in firmware for some Intel(R) Optane(TM) SSD, Intel(R) Optane(TM) SSD DC and Intel(R) SSD DC Products may allow a privileged user to potentially enable denial of service via local access.

CVSS Base Score: 6.0 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

CVEID: CVE-2021-33083

Description: Improper authentication in firmware for some Intel(R) SSD, Intel(R) Optane(TM) SSD, Intel(R) Optane(TM) SSD DC and Intel(R) SSD DC Products may allow an privileged user to potentially enable information disclosure via local access.

CVSS Base Score: 6.0 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

CVEID: CVE-2021-33082

Description: Sensitive information in resource not removed before reuse in firmware for some Intel(R) SSD and Intel(R) Optane(TM) SSD Products may allow an unauthenticated user to potentially enable information disclosure via physical access.

CVSS Base Score: 5.3 Medium

CVSS Vector:  CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

**Affected Products:**

Effective December 29th, 2021, the following products continue being supported by Intel Corporation:

Intel® Optane™ SSD DC D4800X Series all versions.

Intel® Optane™ SSD DC P4800X/P4801X Series before version E2010600.

Intel® Optane™ SSD P5800X Series before version L3010200.

Intel® Optane™ SSD 905P/900P Series all versions.

Intel® Optane Memory H10 with Solid State Storage Series all versions.

Intel® Optane Memory H20 with Solid State Storage Series all versions.

For affected Intel® SSD or Intel® SSD DC NAND products, Intel recommends customers consult the security advisory published at https://www.solidigmtechnology.com/en/support.html or contact Solidigm™ technology at security@solidigmtechnology.com.

**Recommendations:**

**Product Family**

**Mitigated Version or higher**

Intel® Optane™ SSD DC D4800X Series

Consult prescriptive guidance

Intel® Optane™ SSD DC P4800X/P4801X Series

E2010600

Intel® Optane™ SSD P5800X Series

L0310200

Intel® Optane™ Memory H20 with Solid State Storage

PGF028K

Consult prescriptive guidance

Intel® Optane™ Memory H10 with Solid State Storage

TGF061K

Intel® Optane™ SSD 905P/900P Series

FW600

Prescriptive guidance for CVE-2021-33082: A possible workaround is to use one of the following commands listed below instead of the Sanitize command with Block Erase operation:

*   NVMe Sanitize command, Crypto Erase (SANACT=04h) or
*   NVMe Format NVM command, User Data Erase or Crypto Erase (SES=01h or SES=02h)

Check the Identify Controller Data Structure below, for capability your drive supports in lieu of sanitize erase feature:

*   Sanitize command, Crypto Erase (offset 331:328, SANICAP bit 00h) and
*   NVMe Format NVM command (offset 257:256, OACS bit 01h)

Updates are available for download at this location: https://www.intel.com/content/www/us/en/support/products/35125/memory-and-storage.html#support-product-selector  

**Acknowledgements:**

These issues were found internally by Intel.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

05/10/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  
Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

Tag

#intel