Converged Security And Manageability Engine
CVE-2020-12303
HIGH
Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Use after free in DAL subsystem for Intel(R) CSME versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70, 13.0.40, 13.30.10, 14.0.45 and 14.5.25, Intel(R) TXE 3.1.80, 4.0.30 may allow an authenticated user to potentially enable escalation of privileges via local access.
AnalysisAI
Use after free in DAL subsystem for Intel(R) CSME versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70, 13.0.40, 13.30.10, 14.0.45 and 14.5.25, Intel(R) TXE 3.1.80, 4.0.30 may allow an authenticated. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Use After Free (CWE-416), which allows attackers to access freed memory to execute arbitrary code or crash the application. Use after free in DAL subsystem for Intel(R) CSME versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70, 13.0.40, 13.30.10, 14.0.45 and 14.5.25, Intel(R) TXE 3.1.80, 4.0.30 may allow an authenticated user to potentially enable escalation of privileges via local access. Affected products include: Intel Converged Security And Manageability Engine, Intel Trusted Execution Technology. Version information: before 11.8.80.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use smart pointers or garbage-collected languages. Set pointers to NULL after freeing. Enable memory sanitizers.
Improper access control in Installer for Intel(R) CSME Driver for Windows versions before 11.8.80, 11.12.80, 11.22.80, 1
Insufficient control flow management in subsystem for Intel(R) CSME versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70
Insecure default initialization of resource in Intel(R) Boot Guard in Intel(R) CSME versions before 11.8.80, 11.12.80, 1
Improper input validation in subsystem for Intel(R) CSME versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70 and 14.0.4
Improper input validation for some Intel(R) PROSet/Wireless WiFi, Intel vPro(R) CSME WiFi and Killer(TM) WiFi products m
Inadequate encryption strength in subsystem for Intel(R) CSME versions before 13.0.40 and 13.30.10 may allow an unauthen
Insufficient control flow management in subsystem for Intel(R) CSME versions before 11.8.80, Intel(R) TXE versions befor
Same weakness CWE-416 – Use After Free
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today