Potential security vulnerabilities in the Intel® Security Library may allow escalation of privilege, denial of service or information disclosure. Intel is releasing software updates to mitigate these potential vulnerabilities.****
CVEID: CVE-2021-0133
Description: Key exchange without entity authentication in the Intel® Security Library before version 3.3 may allow an authenticated user to potentially enable escalation of privilege via network access.
CVSS Base Score: 7.7 High
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N****
CVEID: CVE-2021-0132
Description: Missing release of resource after effective lifetime in an API for the Intel® Security Library before version 3.3 may allow a privileged user to potentially enable denial of service via network access.
CVSS Base Score: 5.4 Medium
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:N/A:H****
CVEID: CVE-2021-0131
Description: Use of cryptographically weak pseudo-random number generator (PRNG) in an API for the Intel® Security Library before version 3.3 may allow an authenticated user to potentially enable information disclosure via network access.
CVSS Base Score: 4.6 Medium
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N****
CVEID: CVE-2021-0134
Description: Improper input validation in an API for the Intel® Security Library before version 3.3 may allow a privileged user to potentially enable denial of service via network access.
CVSS Base Score: 4.2 Medium
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H****
3rd Generation Intel® Xeon® Scalable Processor
2nd Gen Intel® Xeon® Scalable processor
1st Gen Intel® Xeon® Scalable processor
Intel® Xeon® W processor 3200 series
Intel® Xeon® W processor 3100 series
Intel recommends that users of Intel® Security Library update to 3.3 or later.
Updates are available for download at this location: Intel GitHub
The following issues were found internally by Intel employees. Intel would like to thank Ryan Hall and Brent Holtsclaw of the DCG Red Team.
Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.