CVE-2020-8745

moderate-risk
Published 2020-11-12

Insufficient control flow management in subsystem for Intel(R) CSME versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70, 13.0.40, 13.30.10, 14.0.45 and 14.5.25 , Intel(R) TXE versions before 3.1.80 and 4.0.30 may allow an unauthenticated user to potentially enable escalation of privilege via physical access.

Do I need to act?

-
0.65% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.8/10 Medium
PHYSICAL / LOW complexity

Affected Products (20)

Converged Security And Manageability Engine
Trusted Execution Technology
Simatic Drive Controller Firmware
Simatic Et200Sp 1515Sp Pc2 Firmware
Simatic Field Pg M6 Firmware
Simatic Ipc127E Firmware
Simatic Ipc527G Firmware
Simatic Ipc627E Firmware
Simatic Ipc647E Firmware
Simatic Ipc667E Firmware
Simatic Ipc847E Firmware
Sinumerik 828D Hw Pu.4 Firmware
Sinumerik Mc Mcu 1720 Firmware
Sinumerik One Firmware
Sinumerik 840D Sl Ht 10 Firmware

Affected Vendors

Siemens Intel

References (8)

Patch https://cert-portal.siemens.com/productcert/pdf/ssa-678983.pdf
Third Party Advisory https://security.netapp.com/advisory/ntap-20201113-0002/
Third Party Advisory https://security.netapp.com/advisory/ntap-20201113-0005/
Vendor Advisory https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00391
Patch https://cert-portal.siemens.com/productcert/pdf/ssa-678983.pdf
Third Party Advisory https://security.netapp.com/advisory/ntap-20201113-0002/
Third Party Advisory https://security.netapp.com/advisory/ntap-20201113-0005/
Vendor Advisory https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00391
44
/ 100
moderate-risk
Severity 22/34 · High
Exploitability 2/34 · Minimal
Exposure 20/34 · Moderate