SB2024052131 - Multiple vulnerabilities in Intel Power Gadget Software

Description

This security bulletin contains information about 11 secuirty vulnerabilities.

1) Improper access control (CVE-ID: CVE-2023-45217)

The vulnerability allows a local user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A local user can bypass implemented security restrictions and gain elevated privileges on the system.

2) Improper access control (CVE-ID: CVE-2023-40070)

The vulnerability allows a local user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A local user can bypass implemented security restrictions and gain elevated privileges on the system.

3) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-46689)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper neutralization, which leads to security restrictions bypass and privilege escalation.

4) Buffer overflow (CVE-ID: CVE-2023-38581)

The vulnerability allows a local user to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error. A local user can trigger memory corruption and execute arbitrary code on the target system with elevated privileges.

5) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-42773)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper neutralization, which leads to security restrictions bypass and privilege escalation.

6) Use-after-free (CVE-ID: CVE-2023-46691)

The vulnerability allows a local user to compromise vulnerable system.

The vulnerability exists due to a use-after-free error. A local user can gain elevated privileges on the system.

7) Insecure Inherited Permissions (CVE-ID: CVE-2023-45736)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to insecure inherited permissions, which leads to security restrictions bypass and privilege escalation.

8) Incomplete cleanup (CVE-ID: CVE-2023-45846)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to incomplete cleanup. A local user can cause a denial of service condition on the target system.

9) Input validation error (CVE-ID: CVE-2023-45315)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper initialization. A local user can pass specially crafted input to the application and perform a denial of service (DoS) attack.

10) NULL pointer dereference (CVE-ID: CVE-2023-41234)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error. A local user can pass specially crafted data to the application and perform a denial of service (DoS) attack.

11) Information disclosure (CVE-ID: CVE-2023-38420)

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to improper conditions check. A local user can gain unauthorized access to sensitive information on the system.

Remediation

Install update from vendor's website.

References

• https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01037.html