Vulnerability in Intel Ethernet Controller firmware (CVE-2020-8696)

Advisory ID	CVE Number	Date discovered	Severity	Advisory revision
STORM-2020-047	CVE-2020-8696	11/27/2020	low	v1

Vulnerability details

Improper supression of sensitive data in the firmware of the Intel(R) Ethernet 700 Series Controllers before version 7.3 may allow an authenticated user to potentially enable information disclosure.

Impacted products

Products	Severity	Detail
Stormshield Network Security	low	SNS is impacted

Revisions

Version	Date	Description
v1	05/27/2020	Initial release

Stormshield Network Security

CVSS v3.1 Overall Score: 3.2

Analysis

Impacted version

This vulnerability could allow an attacker with a local access (ability to run on SNS his own code or script) to the appliance to potentialy enable information disclosure.

As this vulnerability can only be exploited locally, it can not provide an external attacker access to an SNS appliance.

On SNS, local access are only granted to user with the highest privileges. Therefore an exploitation of this vulnerability is useless to a SNS local user.

The following models are impacted :

SN2100
SN3100
SN6100

Version >= 3.7

Workaround solution	Solution
In order to mitigate the risk of exploitation keep your appliance updated.	A fix for this vulnerability has been delivered in the version 4.2.2.

Attack Vector	Attack Complexity	Privileges Required	User Interaction	Scope	Confidentiality Impact	Integrity Impact	Availability impact
Local	High	Low	None	Changed	Low	None	None

CVSS Base score: 2.8	CVSS Vector: (AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N)

Exploit Code Maturity	Remediation Level	Report Confidence
Unproven that exploit exists	Official fix	Confirmed

CVSS Temporal score: 2.5	CVSS Vector: (AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C)

Confidentiality Requirement	Integrity Requirement	Availability Requirement
High	High	High

CVSS Environmental score: 3.2	CVSS Vector: (AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X)