Information disclosure in Intel Integrated Performance Primitives Cryptography Library
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2018-3617 |
| CWE-ID | CWE-208 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
Intel Integrated Performance Primitives Universal components / Libraries / Libraries used by multiple products |
| Vendor | Intel |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Timing attack
EUVDB-ID: #VU12603
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-3617
CWE-ID:
CWE-208 - Information Exposure Through Timing Discrepancy
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to obtain potentially sensitive information on the target system.
The weakness exists due to improper enforcement of constant-time execution during cryptographic operations. A local attacker can access the system, perform timing attacks and gain access to potentially sensitive information.
Update to version 2018 U2.1.
Vulnerable software versionsIntel Integrated Performance Primitives: 3.0 - 9.0
CPE2.3- cpe:2.3:a:intel:intel_integrated_performance_primitives:3.0:*:*:*:*:*:*:*
- cpe:2.3:a:intel:intel_integrated_performance_primitives:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:intel:intel_integrated_performance_primitives:4.1:*:*:*:*:*:*:*
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00106.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
