CVE-2018-12173

moderate-risk

Published 2018-10-10

Insufficient access protection in firmware in Intel Server Board, Intel Server System and Intel Compute Module before firmware version 00.01.0014 may allow an unauthenticated attacker to potentially execute arbitrary code resulting in information disclosure, escalation of privilege and/or denial of service via local access.

Do I need to act?

0.04% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.6/10 High

PHYSICAL / LOW complexity

Affected Products (14)

Server Board S2600Bp Firmware

Server Board S2600Wf Firmware

Server Board S2600St Firmware

Server Board S2600Bpr Firmware

Server Board S2600Wfr Firmware

Server Board S2600Str Firmware

Compute Module Hns2600Bp Firmware

Compute Module Hns2600Bpr Firmware

Server System R2000Wf Firmware

Server System R1000Wf Firmware

Server System R1000Wfr Firmware

Server System R2000Wfr Firmware

Server System H2000G Firmware

Server System H2000Gr Firmware

Affected Vendors

Intel

References (4)

http://support.lenovo.com/us/en/solutions/LEN-24799

Vendor Advisory https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00179....

http://support.lenovo.com/us/en/solutions/LEN-24799

Vendor Advisory https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00179....

/ 100

moderate-risk

Severity 24/34 · High

Exploitability 0/34 · Minimal

Exposure 18/34 · Moderate