CVE-2024-39609

Improper Access Control in UEFI firmware for some Intel(R) Server Board M70KLP may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS v3 6.7 MEDIUM

6.7^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01175.html	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:intel:server_board_m70klp2sb_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:intel:server_board_m70klp2sb:-:*:*:*:*:*:*:*

History

19 Nov 2024, 19:58

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~7.5~~	v2 : unknown v3 : 6.7
References	~~() https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01175.html -~~	() https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01175.html - Patch, Vendor Advisory
First Time		Intel Intel server Board M70klp2sb Firmware Intel server Board M70klp2sb
CPE		cpe:2.3:o:intel:server_board_m70klp2sb_firmware:::::::: cpe:2.3:h:intel:server_board_m70klp2sb:-:::::::*

15 Nov 2024, 14:00

Type	Values Removed	Values Added
Summary		(es) Un control de acceso inadecuado en el firmware UEFI para algunos Intel(R) Server Board M70KLP puede permitir que un usuario privilegiado habilite potencialmente la escalada de privilegios a través del acceso local.

13 Nov 2024, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-13 21:15

Updated : 2024-11-19 19:58

NVD link : CVE-2024-39609

Mitre link : CVE-2024-39609

CVE.ORG link : CVE-2024-39609

JSON object : View

Products Affected

intel

server_board_m70klp2sb_firmware
server_board_m70klp2sb

CWE

CWE-284

Improper Access Control

{"id": "CVE-2024-39609", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.8}, {"type": "Secondary", "source": "secure@intel.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 0.8}], "cvssMetricV40": [{"type": "Secondary", "source": "secure@intel.com", "cvssData": {"safety": "NOT_DEFINED", "version": "4.0", "recovery": "NOT_DEFINED", "baseScore": 8.7, "automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "modifiedAttackVector": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subsequentSystemIntegrity": "HIGH", "vulnerableSystemIntegrity": "HIGH", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "confidentialityRequirements": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "subsequentSystemAvailability": "HIGH", "vulnerableSystemAvailability": "HIGH", "subsequentSystemConfidentiality": "HIGH", "vulnerableSystemConfidentiality": "HIGH", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"}}]}, "published": "2024-11-13T21:15:27.197", "references": [{"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01175.html", "tags": ["Patch", "Vendor Advisory"], "source": "secure@intel.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "secure@intel.com", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "Improper Access Control in UEFI firmware for some Intel(R) Server Board M70KLP may allow a privileged user to potentially enable escalation of privilege via local access."}, {"lang": "es", "value": "Un control de acceso inadecuado en el firmware UEFI para algunos Intel(R) Server Board M70KLP puede permitir que un usuario privilegiado habilite potencialmente la escalada de privilegios a trav\u00e9s del acceso local."}], "lastModified": "2024-11-19T19:58:29.653", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:intel:server_board_m70klp2sb_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6259299E-37EC-48AD-959D-3DE49A61B923", "versionEndExcluding": "01.04.0030"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:intel:server_board_m70klp2sb:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "2C473084-B18C-4307-9733-7B9CE9E2D9C4"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "secure@intel.com"}