Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2019-11090

Severity CVSS v4.0:
Pending analysis
Type:
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Publication date:
18/12/2019
Last modified:
03/01/2020

Description

Cryptographic timing conditions in the subsystem for Intel(R) PTT before versions 11.8.70, 11.11.70, 11.22.70, 12.0.45, 13.0.0 and 14.0.10; Intel(R) TXE 3.1.70 and 4.0.20; Intel(R) SPS before versions SPS_E5_04.01.04.305.0, SPS_SoC-X_04.00.04.108.0, SPS_SoC-A_04.00.04.191.0, SPS_E3_04.01.04.086.0, SPS_E3_04.08.04.047.0 may allow an unauthenticated user to potentially enable information disclosure via network access.

Impact

Vector 3.x
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS v3.1 Severity and Metrics:

Base Score: 5.90 MEDIUM
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): None
Availability (A): None

Base Score 3.x
5.90
Severity 3.x
MEDIUM
Vector 2.0
AV:N/AC:M/Au:N/C:P/I:N/A:N CVSS v2.0 Severity and Metrics:

Base Score: 4.30 MEDIUM
Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Attack Vector (AV): Network
Attack Complexity (AC): Medium
Authentication (Au): None
Confidentiality (C): Physical
Integrity (I): None
Availability (A): None

Base Score 2.0
4.30
Severity 2.0
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:intel:platform_trust_technology_firmware:*:*:*:*:*:*:*:* 11.0 (including) 11.8.70 (including)
cpe:2.3:o:intel:platform_trust_technology_firmware:*:*:*:*:*:*:*:* 11.10 (including) 11.11.70 (excluding)
cpe:2.3:o:intel:platform_trust_technology_firmware:*:*:*:*:*:*:*:* 11.20 (including) 11.22.70 (excluding)
cpe:2.3:o:intel:platform_trust_technology_firmware:*:*:*:*:*:*:*:* 12.0 (including) 12.0.45 (excluding)
cpe:2.3:o:intel:platform_trust_technology_firmware:*:*:*:*:*:*:*:* 13.0 (including) 13.0.0 (excluding)
cpe:2.3:o:intel:platform_trust_technology_firmware:*:*:*:*:*:*:*:* 14.0.0 (including) 14.0.10 (excluding)
cpe:2.3:o:intel:server_platform_services_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:intel:server_platform_services_firmware:*:*:*:*:*:*:*:* sps_e3_04.01.00.000.0 (including) sps_e3_04.01.04.086.0 (excluding)
cpe:2.3:o:intel:server_platform_services_firmware:*:*:*:*:*:*:*:* sps_e5_04.00.00.000.0 (including) sps_e5_04.01.04.305.0 (excluding)
cpe:2.3:o:intel:server_platform_services_firmware:*:*:*:*:*:*:*:* sps_soc-a_04.00.00.000.0 (including) sps_soc-a_04.00.04.191.0 (excluding)
cpe:2.3:o:intel:server_platform_services_firmware:*:*:*:*:*:*:*:* sps_soc-x_04.00.00.000.0 (including) sps_soc-x_04.00.04.108.0 (excluding)
cpe:2.3:o:intel:trusted_execution_engine_firmware:*:*:*:*:*:*:*:* 3.0 (including) 3.1.70 (excluding)
cpe:2.3:o:intel:trusted_execution_engine_firmware:*:*:*:*:*:*:*:* 4.0 (including) 4.0.20 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools