Potential security vulnerabilities in firmware for some Intel® Ethernet controllers may allow denial of service or escalation of privilege. Intel is releasing firmware updates to mitigate these potential vulnerabilities.
CVEID: CVE-2021-0200
Description: Out-of-bounds write in the firmware for Intel® Ethernet 700 Series Controllers before version 8.2 may allow a privileged user to potentially enable an escalation of privilege via local access.
CVSS Base Score: 6.0 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
CVEID: CVE-2021-0197
Description: Protection mechanism failure in the firmware for the Intel® Ethernet Network Controller E810 before version 1.5.5.6 may allow a privileged user to cause a denial of service via local access.
CVSS Base Score: 5.1 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H****
CVEID: CVE-2021-0198
Description: Improper access control in the firmware for the Intel® Ethernet Network Controller E810 before version 1.5.5.6 may allow a privileged user to potentially enable a denial of service via local access.
CVSS Base Score: 4.7 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H****
CVEID: CVE-2021-0199
Description: Improper input validation in the firmware for the Intel® Ethernet Network Controller E810 before version 1.6.0.6 may allow a privileged user to potentially enable a denial of service via local access.
CVSS Base Score: 3.4 Low
CVSS Vector:CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L****
700-series Ethernet Adapters - Firmware versions as reported by the device, corresponding to the release are:
810-series Ethernet Adapters - Firmware versions as reported by the device, corresponding to the release versions in the CVEs are:
Intel recommends updating the above Intel® Ethernet Controller firmware to the latest versions.
Updates are available for download at this location: <https://downloadcenter.intel.com/product/36773/Ethernet-Products>
These issues were found internally by Intel employees.
Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.