Potential security vulnerabilities in Intel BIOS platform sample code for some Intel® Processors may allow escalation of privilege.** **Intel is releasing BIOS platform sample code updates to mitigate these potential vulnerabilities.
CVEID: CVE-2020-8764
Description: Improper access control in BIOS firmware for some Intel® Processors may allow a privileged user to potentially enable escalation of privilege via local access.
CVSS Base Score: 8.2 High
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVEID: CVE-2020-8738
Description: Improper conditions check in Intel BIOS platform sample code for some Intel® Processors before may allow a privileged user to potentially enable escalation of privilege via local access.
CVSS Base Score: 7.5 High
CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CVEID: CVE-2020-8740
Description: Out of bounds write in Intel BIOS platform sample code for some Intel® Processors may allow a privileged user to potentially enable escalation of privilege via local access.
CVSS Base Score: 6.7 Medium
CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:H/A:L
CVEID: CVE-2020-8739
Description: Use of potentially dangerous function in Intel BIOS platform sample code for some Intel® Processors may allow an authenticated user to potentially enable escalation of privilege via local access.
CVSS Base Score: 4.6 Medium
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L
2nd Generation Intel® Xeon® Scalable Processors, Intel® Core™ X-series Processors, Intel® Xeon® Processor W Family and Intel® Xeon® Scalable Processors
Intel® Xeon® Processor D Family, Intel® Xeon® Processor E7 v4 Family and Intel® Xeon® Processor E5 v3 Family, Intel® Xeon® Processor E5 v4 Family
Intel® Xeon® Processor D Family
Intel® Xeon® Processor E7 v3 Family
Intel® Atom® Processor C3XXX
Intel recommends that users of the affected products update to the latest BIOS firmware provided by the system manufacturer that addresses these issues.
Intel would like to thank Dmitry Frolov (CVE-2020-8738) for reporting this issue.
The following issues were found internally by Intel, CVE-2020-8739 and CVE-2020-8764. Intel would like to thank Brent Holtsclaw for CVE-2020-8740.
Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.