Intel Has Fix for Data Center Manager SDK Holes

Tuesday, February 19, 2019 @ 04:02 PM gHale

Intel has an update available to handle multiple vulnerabilities in its Data Center Manager SDK, according to a report with NCCIC.

The remotely exploitable vulnerabilities include an improper authentication, protection mechanism failure, permission issues, key management errors, and insufficient control flow management. Intel’s Product Security Incident Response Team reported these vulnerabilities.

RELATED STORIES
Pangea Patches Bypass Vulnerability
Fuji Fixes FRENIC Devices
Siemens Fixes CP1604, CP1616 Holes
Siemens has Upgrade for Intel AMT

Successful exploitation of these vulnerabilities may allow escalation of privilege, denial of service, or information disclosure.

A software development kit, Intel Data Center Manager SDK prior to Version 5.0.2 suffers from the issues.

In one vulnerability, insufficient session authentication may allow an unauthenticated user to enable escalation of privilege via network access.

CVE-2019-0102 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.8.

In addition, insufficient file protection in the install routine may allow an authenticated user to enable information disclosure via local access.

CVE-2019-0103 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.5.

Also, insufficient file protection in the uninstall routine may allow an authenticated user to enable information disclosure via local access.

CVE-2019-0104 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.5.

Moreover, insufficient file permissions checking in the install routine may allow an authenticated user to enable escalation of privilege via local access.

CVE-2019-0105 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.7.

In addition, insufficient run protection in the install routine may allow a privileged user to enable escalation of privilege via local access.

CVE-2019-0106 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.0.

Also, insufficient user prompt in the install routine may allow a privileged user to enable escalation of privilege via local access.

CVE-2019-0107 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.2.

In addition, improper file permissions may allow an authenticated user to enable disclosure of information via local access.

CVE-2019-0108 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 3.3.

Also, improper folder permissions may allow an authenticated user to enable disclosure of information via local access.

CVE-2019-0109 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.

Moreover, insufficient key management may allow an authenticated user to enable information disclosure via local access.

CVE-2019-0110 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.1.

In addition, improper file permissions may allow an authenticated user to enable information disclosure via local access.

CVE-2019-0111 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 3.8.

Finally, improper flow control in crypto routines may allow a privileged user to enable a denial of service via local access.

CVE-2019-0112 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.0.

The product sees use mainly in the information technology sector and it sees action on a global basis.

No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.

Intel recommends affected users contact an Intel Data Center Manager SDK reseller for the Version 5.0.2 update. Click here for a list of resellers.

For more information, see Intel security advisory INTEL-SA-00215.



Leave a Reply

You must be logged in to post a comment.