Intel® Thunderbolt™ non-DCH Driver for Windows Advisory

Summary:

A potential security vulnerability in the Intel® Thunderbolt™ non-DCH (Declarative Componentized Hardware) driver for Windows may allow escalation of privilege. Intel is releasing software updates and prescriptive guidance to mitigate this potential vulnerability.

Vulnerability Details:

CVEID: CVE-2020-8741

Description: Improper permissions in the installer for the Intel® Thunderbolt™ non-DCH driver, all versions, for Windows may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 6.7 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Affected Products:

Intel® Thunderbolt™ non-DCH Driver, all versions, for Windows.

Recommendations:

Intel has issued a Product Discontinuation notice for the Intel® Thunderbolt™ non-DCH driver for Windows. To retain support for existing devices, Intel recommends that users of Intel® Thunderbolt™ non-DCH driver for Windows update to the latest version provided by the system manufacturer.

For affected Intel® NUC Products, Intel recommends updating to the versions below:

· Thunderbolt 3 Firmware Update Tool for NUC6i7KYK (version 38)

· Thunderbolt 3 Firmware Update Tool for NUC6i7KYK (version 27)

· Thunderbolt 3 Firmware Update Tool for NUC6i7KYK (version 46)

· Thunderbolt 3 Firmware Update Tool for NUC7i7BN and NUC7i5BN

· Thunderbolt 3 Firmware Update Tool for NUC8i7HNK, NUC8i7HVK

· Thunderbolt 3 Firmware Update Tool for Intel® NUC 9 Extreme Laptop Kits

· Thunderbolt 3 Firmware Update Tool for NUC10ixFN

· Thunderbolt 3 Firmware Update Tool for the Intel® NUC8ixBE and NUC7ixBN

· Thunderbolt 3 Firmware Update Tool for NUC8vPN

· Thunderbolt 3 Firmware Update Tool for NUC9QN

· Thunderbolt 3 Driver for Windows® Server 2016* for NUC6i7KYK, NUC8i7HNK, NUC8i7HVK

· Thunderbolt 3 Legacy Driver for Windows® 10 for Intel® NUC

· Thunderbolt 3 DCH Driver for Intel® NUC 9 Extreme Laptop Kits

· Thunderbolt 3 DCH Driver for NUC11TN

· Thunderbolt 3 and 4 DCH Driver for Windows® 10 for Intel® NUC

Acknowledgements:

Intel would like to thank Chen Erlich & Zhiniang Peng (@edwardzpeng) for reporting this issue.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.