Potential security vulnerabilities in some Intel® Server Board Families may allow escalation of privilege.** **Intel is releasing firmware updates to mitigate these potential vulnerabilities.
CVEID: CVE-2020-12300
Description: Uninitialized pointer in BIOS firmware for Intel® Server Board Families S2600CW, S2600KP, S2600TP, and S2600WT may allow a privileged user to potentially enable escalation of privilege via local access.
CVSS Base Score: 7.5 High
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CVEID: CVE-2020-12301
Description: Improper initialization in BIOS firmware for Intel® Server Board Families S2600ST, S2600BP and S2600WF may allow a privileged user to potentially enable escalation of privilege via local access.
CVSS Base Score: 7.5 High
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CVEID: CVE-2020-12299__
Description: Improper input validation in BIOS firmware for Intel® Server Board Families S2600ST, S2600BP and S2600WF may allow a privileged user to potentially enable escalation of privilege via local access.
CVSS Base Score: 6.7 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:H/A:L
CVE-2020-12299
· Intel® Server Board S2600ST Family
· Intel® Server Board S2600BP Family
· Intel® Server Board S2600WF Family
CVE-2020-12300
· Intel® Server Board S2600CW Family
· Intel® Server Board S2600KP Family
· Intel® Server Board S2600TP Family
· Intel® Server Board S2600WT Family
CVE-2020-12301
· Intel® Server Board S2600ST Family
· Intel® Server Board S2600BP Family
· Intel® Server Board S2600WF Family
Intel recommends updating to latest BIOS firmware available.
Updates are available for download at these locations:
· Intel® Server Board S2600ST Family
· Intel® Server Board S2600BP Family
· Intel® Server Board S2600WF Family
· Intel® Server Board S2600CW Family
· Intel® Server Board S2600KP Family
· Intel® Server Board S2600TP Family
· Intel® Server Board S2600WT Family
CVE-2020-12300 and CVE-2020-12301 were found externally. CVE-2020-12300 was found internally by Intel employees.
Intel would like to thank Dmitry Frolov CVE-2020-12300, Alexander Ermolov CVE-2020-12301 for reporting these issues.
Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.