A potential security vulnerability in the Intel® Thunderbolt™ non-DCH (Declarative Componentized Hardware) driver for Windows may allow escalation of privilege. Intel is releasing software updates and prescriptive guidance to mitigate this potential vulnerability.
CVEID: CVE-2020-8741
Description: Improper permissions in the installer for the Intel® Thunderbolt™ non-DCH driver, all versions, for Windows may allow an authenticated user to potentially enable escalation of privilege via local access.
CVSS Base Score: 6.7 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Intel® Thunderbolt™ non-DCH Driver, all versions, for Windows.
Intel has issued a Product Discontinuation notice for the Intel® Thunderbolt™ non-DCH driver for Windows. To retain support for existing devices, Intel recommends that users of Intel® Thunderbolt™ non-DCH driver for Windows update to the latest version provided by the system manufacturer.
For affected Intel® NUC Products, Intel recommends updating to the versions below:
· Thunderbolt 3 Firmware Update Tool for NUC6i7KYK (version 38)
· Thunderbolt 3 Firmware Update Tool for NUC6i7KYK (version 27)
· Thunderbolt 3 Firmware Update Tool for NUC6i7KYK (version 46)
· Thunderbolt 3 Firmware Update Tool for NUC7i7BN and NUC7i5BN
· Thunderbolt 3 Firmware Update Tool for NUC8i7HNK, NUC8i7HVK
· Thunderbolt 3 Firmware Update Tool for Intel® NUC 9 Extreme Laptop Kits
· Thunderbolt 3 Firmware Update Tool for NUC10ixFN
· Thunderbolt 3 Firmware Update Tool for the Intel® NUC8ixBE and NUC7ixBN
· Thunderbolt 3 Firmware Update Tool for NUC8vPN
· Thunderbolt 3 Firmware Update Tool for NUC9QN
· Thunderbolt 3 Driver for Windows® Server 2016* for NUC6i7KYK, NUC8i7HNK, NUC8i7HVK
· Thunderbolt 3 Legacy Driver for Windows® 10 for Intel® NUC
· Thunderbolt 3 DCH Driver for Intel® NUC 9 Extreme Laptop Kits
· Thunderbolt 3 DCH Driver for NUC11TN
· Thunderbolt 3 and 4 DCH Driver for Windows® 10 for Intel® NUC
Intel would like to thank Chen Erlich & Zhiniang Peng (@edwardzpeng) for reporting this issue.
Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.