SB2019022006 - Multiple vulnerabilities in Intel Data Center Manager SDK

Description

This security bulletin contains information about 11 secuirty vulnerabilities.

1) Improper authentication (CVE-ID: CVE-2019-0102)

The vulnerability allows an adjacent unauthenticated attacker to gain elevated privileges on the target system.

The weakness exists due to insufficient session authentication in web server for Intel(R) Data Center Manager SDK. An adjacent attacker can gain elevated privileges.

2) Information disclosure (CVE-ID: CVE-2019-0103)

The vulnerability allows a local authenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists due to insufficient file protection in install routine for Intel(R) Data Center Manager SDK. A local attacker can gain access to important data.

3) Information disclosure (CVE-ID: CVE-2019-0104)

The vulnerability allows a local authenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists due to insufficient file protection in uninstall routine for Intel(R) Data Center Manager SDK. A local attacker can gain access to important data.

4) Privilege escalation (CVE-ID: CVE-2019-0105)

The vulnerability allows a remote attacker to gain elevated privileges on the target system.

The weakness exists due to insufficient file permissions checking in install routine for Intel(R) Data Center Manager SDK. A remote attacker can trick the victim into processing a specially crafted input and gain elevated privileges to conduct further attacks.

5) Privilege escalation (CVE-ID: CVE-2019-0106)

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The weakness exists due to insufficient run protection in install routine for Intel(R) Data Center Manager SDK. A local attacker can gain elevated privileges to conduct further attacks.

6) Privilege escalation (CVE-ID: CVE-2019-0107)

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The weakness exists due to insufficient user prompt in install routine for Intel(R) Data Center Manager SDK. A local attacker can gain elevated privileges to conduct further attacks.

7) Information disclosure (CVE-ID: CVE-2019-0108)

The vulnerability allows a local authenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists due to improper file permissions for Intel(R) Data Center Manager SDK. A local attacker can gain access to arbitrary data.

8) Privilege escalation (CVE-ID: CVE-2019-0109)

The vulnerability allows a local authenticated attacker to gain elevated privileges on the target system.

The weakness exists due to improper folder permissions in Intel(R) Data Center Manager SDK. A local attacker can gain elevated privileges to conduct further attacks.

9) Information disclosure (CVE-ID: CVE-2019-0110)

The vulnerability allows a local authenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists due to insufficient key management for Intel(R) Data Center Manager SDK. A local attacker can gain access to important data.

10) Information disclosure (CVE-ID: CVE-2019-0111)

The vulnerability allows a local authenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists due to improper file permissions for Intel(R) Data Center Manager SDK. A local attacker can gain access to important data.

11) Improper input validation (CVE-ID: CVE-2019-0112)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to improper flow control in crypto routines for Intel(R) Data Center Manager SDK. A remote attacker can trick the victim into processing a specially crafted input and cause the service to crash.

Remediation

Install update from vendor's website.

References

• https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00215.html