CVE-2018-3643 - OpenCVE

A vulnerability in Power Management Controller firmware in systems using specific Intel(R) Converged Security and Management Engine (CSME) before version 11.8.55, 11.11.55, 11.21.55, 12.0.6 or Intel(R) Server Platform Services firmware before version 4.x.04 may allow an attacker with administrative privileges to uncover certain platform secrets via local access or to potentially execute arbitrary code.

No CVSS v4.0

No CVSS v3.1

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:L/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Intel	Converged Security Management Engine Firmware Server Platform Services Firmware

Configuration 1 [-]

OR	cpe:2.3:o:intel:converged_security_management_engine_firmware::::::::
	cpe:2.3:o:intel:server_platform_services_firmware::::::::

No data.

References

Link	Providers
https://security.netapp.com/advisory/ntap-20180924-0002/
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03873en_us
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00131.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: intel

Published: 2018-09-12T19:00:00Z

Updated: 2024-09-16T23:56:06.333Z

Reserved: 2017-12-28T00:00:00

Link: CVE-2018-3643

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-09-12T19:29:02.557

Modified: 2019-10-03T00:03:26.223

Link: CVE-2018-3643

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Intel(R) Converged Security and Management Engine (CSME) and Intel(R) Server Platform Services firmware", "vendor": "Intel Corporation", "versions": [{"status": "affected", "version": "CSME versions before 12.0.6 or Server Platform Services firmware before version 4.x.04."}]}], "datePublic": "2018-09-11T00:00:00", "descriptions": [{"lang": "en", "value": "A vulnerability in Power Management Controller firmware in systems using specific Intel(R) Converged Security and Management Engine (CSME) before version 11.8.55, 11.11.55, 11.21.55, 12.0.6 or Intel(R) Server Platform Services firmware before version 4.x.04 may allow an attacker with administrative privileges to uncover certain platform secrets via local access or to potentially execute arbitrary code."}], "problemTypes": [{"descriptions": [{"description": "Escalation of Privilege, Information Disclosure", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-12-19T19:57:01", "orgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce", "shortName": "intel"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00131.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03873en_us"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20180924-0002/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secure@intel.com", "DATE_PUBLIC": "2018-09-11T00:00:00", "ID": "CVE-2018-3643", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Intel(R) Converged Security and Management Engine (CSME) and Intel(R) Server Platform Services firmware", "version": {"version_data": [{"version_value": "CSME versions before 12.0.6 or Server Platform Services firmware before version 4.x.04."}]}}]}, "vendor_name": "Intel Corporation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability in Power Management Controller firmware in systems using specific Intel(R) Converged Security and Management Engine (CSME) before version 11.8.55, 11.11.55, 11.21.55, 12.0.6 or Intel(R) Server Platform Services firmware before version 4.x.04 may allow an attacker with administrative privileges to uncover certain platform secrets via local access or to potentially execute arbitrary code."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Escalation of Privilege, Information Disclosure"}]}]}, "references": {"reference_data": [{"name": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00131.html", "refsource": "CONFIRM", "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00131.html"}, {"name": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03873en_us", "refsource": "CONFIRM", "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03873en_us"}, {"name": "https://security.netapp.com/advisory/ntap-20180924-0002/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20180924-0002/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T04:50:30.381Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00131.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03873en_us"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20180924-0002/"}]}]}, "cveMetadata": {"assignerOrgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce", "assignerShortName": "intel", "cveId": "CVE-2018-3643", "datePublished": "2018-09-12T19:00:00Z", "dateReserved": "2017-12-28T00:00:00", "dateUpdated": "2024-09-16T23:56:06.333Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:intel:converged_security_management_engine_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "F57BC123-252D-44BB-AAF0-E90E1B348ED1", "versionEndExcluding": "12.0.6", "vulnerable": true}, {"criteria": "cpe:2.3:o:intel:server_platform_services_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "9C326802-35F4-4B91-8BE3-93A3F5C0BC5A", "versionEndExcluding": "4.00.04", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in Power Management Controller firmware in systems using specific Intel(R) Converged Security and Management Engine (CSME) before version 11.8.55, 11.11.55, 11.21.55, 12.0.6 or Intel(R) Server Platform Services firmware before version 4.x.04 may allow an attacker with administrative privileges to uncover certain platform secrets via local access or to potentially execute arbitrary code."}, {"lang": "es", "value": "Una vulnerabilidad en el firmware Power Management Controller en sistemas que emplean un CSME (Intel\u00ae Converged Security and Management Engine) espec\u00edfico en versiones anteriores a la 11.8.55, 11.11.55, 11.21.55 y la 12.0.6 o firmware Intel\u00ae Server Platform Services en versiones anteriores a la 4.x.04 podr\u00eda permitir que un atacante con privilegios administrativos descubra ciertos secretos de la plataforma mediante acceso local o que pueda ejecutar c\u00f3digo arbitrario."}], "id": "CVE-2018-3643", "lastModified": "2019-10-03T00:03:26.223", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.5, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-09-12T19:29:02.557", "references": [{"source": "secure@intel.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20180924-0002/"}, {"source": "secure@intel.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03873en_us"}, {"source": "secure@intel.com", "tags": ["Vendor Advisory"], "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00131.html"}], "sourceIdentifier": "secure@intel.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}