Multiple vulnerabilities in Intel processors

Advisory ID CVE Number Date discovered Severity Advisory revision
STORM-2019-026 CVE-2019-0184 , CVE-2019-0123 , CVE-2019-11139 , CVE-2018-12207 , CVE-2019-11157 , CVE-2019-14607 , CVE-2019-0117 , CVE-2020-0548 , CVE-2020-0549 11/14/2019 medium v3

Vulnerability details

Multiples vulnerabilities in Intel processors allow an authenticated user to enable denial of service or information disclosure of the host system with a local access

Impacted products

ProductsSeverityDetail
Stormshield Network Security medium SNS is impacted

Revisions

Version Date Description
v1 11/21/2019 Initial release
v2 09/24/2020 Fix field “Date discovered”
v3 10/09/2020 Update “Workaround solution” and “Solution” sections

 



Stormshield Network Security

CVSS v2 Overall Score: 4.9      

Analysis

Impacted version

This vulnerability could allow an attacker with a local access (ability to run on SNS his own code or script) to the appliance to leak sensitive information and/or enable denial of service.

This vulnerability is useless for an attacker who already have administrator access because an administrator is the highest privileges on the appliance.

As this vulnerability can only be exploited locally, it can not provide an external attacker access to an SNS appliance.

 

The following models are impacted :

  • SN510
  • SN710
  • SN910
  • SN2000
  • SN3000
  • SN6000
  • SN2100
  • SN3100
  • SN6100
  • SNi40
  • 2.X
  • 3.X
  • 4.0.X

Workaround solution

Solution

In order to mitigate the risk of exploitation keep your appliance updated.

As stated in the analysis, this vulnerability can only be exploited locally. On SNS, local access are only granted to user with the highest privileges. Therefore an exploitation of this vulnerability is useless to a SNS local user.

Nevertheless, a fix for this vulnerability has been delivered in the version 4.1.1.



Access vector Access complexity Authentication Confidentiality impact Integrity impact Availability impact
Local Low Single Complete None Complete
CVSS Base score: 6.2 CVSS Vector: (AV:L/AC:L/Au:S/C:C/I:N/A:C)
Exploitability Remediation Level Report Confidence
Proof of concept code Official fix Confirmed
CVSS Temporal score: 4.9 CVSS Vector: (AV:L/AC:L/Au:S/C:C/I:N/A:C/E:POC/RL:OF/RC:C)
Collateral Damage Potential Target Distribution
None High [76-100%]
CVSS Environmental score: 4.9 CVSS Vector: (AV:L/AC:L/Au:S/C:C/I:N/A:C/E:POC/RL:OF/RC:C/CDP:N/TD:H/CR:ND/IR:ND/AR:ND)