Multiple vulnerabilities in Intel Security Library
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2021-0133 CVE-2021-0132 CVE-2021-0131 CVE-2021-0134 |
| CWE-ID | CWE-287 CWE-404 CWE-310 CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
3rd Generation Intel Xeon Scalable Processors Hardware solutions / Firmware 2nd Generation Intel Xeon Scalable Processors Hardware solutions / Firmware 1st Generation Intel Xeon Scalable processor Hardware solutions / Firmware Intel Xeon W processor 3200 series Hardware solutions / Firmware Intel Xeon W processor 3100 series Hardware solutions / Firmware Intel Security Library Other software / Other software solutions |
| Vendor | Intel |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Improper Authentication
EUVDB-ID: #VU54146
Risk: Medium
CVSSv4.0: 4.1 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-0133
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to key exchange without entity authentication. A remote authenticated attacker can bypass authentication process and gain elevated privileges on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versions3rd Generation Intel Xeon Scalable Processors: All versions
2nd Generation Intel Xeon Scalable Processors: All versions
1st Generation Intel Xeon Scalable processor: All versions
Intel Xeon W processor 3200 series: All versions
Intel Xeon W processor 3100 series: All versions
Intel Security Library: before 3.3
CPE2.3- cpe:2.3:h:intel:3rd_generation_intel_xeon_scalable_processors:*:*:*:*:*:*:*:*
- cpe:2.3:h:intel:2nd_generation_intel_xeon_scalable_processors:*:*:*:*:*:*:*:*
- cpe:2.3:h:intel:1st_generation_intel_xeon_scalable_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:intel:intel_xeon_w_processor_3200_series:*:*:*:*:*:*:*:*
- cpe:2.3:h:intel:intel_xeon_w_processor_3100_series:*:*:*:*:*:*:*:*
- cpe:2.3:a:intel:intel_security_library:*:*:*:*:*:*:*:*
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00521.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper Resource Shutdown or Release
EUVDB-ID: #VU54147
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-0132
CWE-ID:
CWE-404 - Improper Resource Shutdown or Release
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to missing release of resource after effective lifetime in an API. A remote administrator can cause a denial of service condition on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versions3rd Generation Intel Xeon Scalable Processors: All versions
2nd Generation Intel Xeon Scalable Processors: All versions
1st Generation Intel Xeon Scalable processor: All versions
Intel Xeon W processor 3200 series: All versions
Intel Xeon W processor 3100 series: All versions
Intel Security Library: before 3.3
CPE2.3- cpe:2.3:h:intel:3rd_generation_intel_xeon_scalable_processors:*:*:*:*:*:*:*:*
- cpe:2.3:h:intel:2nd_generation_intel_xeon_scalable_processors:*:*:*:*:*:*:*:*
- cpe:2.3:h:intel:1st_generation_intel_xeon_scalable_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:intel:intel_xeon_w_processor_3200_series:*:*:*:*:*:*:*:*
- cpe:2.3:h:intel:intel_xeon_w_processor_3100_series:*:*:*:*:*:*:*:*
- cpe:2.3:a:intel:intel_security_library:*:*:*:*:*:*:*:*
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00521.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Cryptographic issues
EUVDB-ID: #VU54148
Risk: Medium
CVSSv4.0: 1.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-0131
CWE-ID:
CWE-310 - Cryptographic Issues
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to use of cryptographically weak pseudo-random number generator (PRNG) in an API. A remote authenticated attacker can gain unauthorized access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versions3rd Generation Intel Xeon Scalable Processors: All versions
2nd Generation Intel Xeon Scalable Processors: All versions
1st Generation Intel Xeon Scalable processor: All versions
Intel Xeon W processor 3200 series: All versions
Intel Xeon W processor 3100 series: All versions
Intel Security Library: before 3.3
CPE2.3- cpe:2.3:h:intel:3rd_generation_intel_xeon_scalable_processors:*:*:*:*:*:*:*:*
- cpe:2.3:h:intel:2nd_generation_intel_xeon_scalable_processors:*:*:*:*:*:*:*:*
- cpe:2.3:h:intel:1st_generation_intel_xeon_scalable_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:intel:intel_xeon_w_processor_3200_series:*:*:*:*:*:*:*:*
- cpe:2.3:h:intel:intel_xeon_w_processor_3100_series:*:*:*:*:*:*:*:*
- cpe:2.3:a:intel:intel_security_library:*:*:*:*:*:*:*:*
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00521.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Input validation error
EUVDB-ID: #VU54149
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-0134
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in an API. A remote administrator can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versions3rd Generation Intel Xeon Scalable Processors: All versions
2nd Generation Intel Xeon Scalable Processors: All versions
1st Generation Intel Xeon Scalable processor: All versions
Intel Xeon W processor 3200 series: All versions
Intel Xeon W processor 3100 series: All versions
Intel Security Library: before 3.3
CPE2.3- cpe:2.3:h:intel:3rd_generation_intel_xeon_scalable_processors:*:*:*:*:*:*:*:*
- cpe:2.3:h:intel:2nd_generation_intel_xeon_scalable_processors:*:*:*:*:*:*:*:*
- cpe:2.3:h:intel:1st_generation_intel_xeon_scalable_processor:*:*:*:*:*:*:*:*
- cpe:2.3:h:intel:intel_xeon_w_processor_3200_series:*:*:*:*:*:*:*:*
- cpe:2.3:h:intel:intel_xeon_w_processor_3100_series:*:*:*:*:*:*:*:*
- cpe:2.3:a:intel:intel_security_library:*:*:*:*:*:*:*:*
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00521.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
