[AMD, INTEL, NVIDIA] Security Bulletin November 11, 2020

Published: 11th Nov 2020, 09:51 GMT   Comments

AMD Security Bulletin

RAPL (CVE-2020-12912)

In a paper titled, “Software-based Power Side Channel Attacks on AMD”, researchers from Graz University describe a differential power analysis method to use the Linux-based Running Average Power Limit (RAPL) interface to show various side channel attacks.

In line with industry partners, AMD has updated the RAPL interface to require privileged access. The change is in the process of being integrated into Linux distributions. [link]

TPM Vulnerability – Non orderly shutdown failed tries (CVE-2020 12926)

AMD was notified by the Trusted Computing Group (TCG) that its Trusted Platform Modules (TPM) reference software may not properly track the number of times a failed shutdown happens. This can leave the TPM in a state where confidential key material in the TPM may be able to be compromised. AMD believes that the attack requires physical access of the device because the power must be repeatedly turned on and off.   This potential attack may be used to change confidential information, alter executables signed by key material in the TPM, or create a denial of service of the device.

AMD has provided mitigations to motherboard vendors. [link]

Privilege Escalation in atillk64.sys (CVE-2020-12927)

A researcher (h0mbre pwner) notified AMD of a potential vulnerability in a driver created with the AMD VBIOS Flash Tool Software Development Kit (SDK). The disclosed vulnerability may allow low privileged users to potentially escalate privilege to administrator privileges on Windows. The potential vulnerability is in the AMD VBIOS Flash Tool Software Development Kit (SDK) used by customers to create drivers. AMD has provided mitigations in the AMD VBIOS Flash Tool Software Development Kit (SDK) 3.12. [link]

INTEL Security Bulletin

AdvisoriesAdvisory NumberUpdatedRelease Date
Intel® DSA AdvisoryINTEL-SA-00449November 10, 2020November 10, 2020
Intel® Board ID Tool AdvisoryINTEL-SA-00447November 10, 2020November 10, 2020
Intel® Quartus® Prime AdvisoryINTEL-SA-00446November 10, 2020November 10, 2020
Intel® Server Board S2600ST & S2600WF AdvisoryINTEL-SA-00439November 10, 2020November 10, 2020
Intel® Battery Life Diagnostic Tool AdvisoryINTEL-SA-00431November 10, 2020November 10, 2020
Intel® Data Center Manager Console AdvisoryINTEL-SA-00430November 10, 2020November 10, 2020
Intel® XTU AdvisoryINTEL-SA-00429November 10, 2020November 10, 2020
Intel CSI2 Host Controller AdvisoryINTEL-SA-00427November 10, 2020November 10, 2020
Open WebRTC Toolkit AdvisoryINTEL-SA-00424November 10, 2020November 10, 2020
Intel® VTune™ Profiler AdvisoryINTEL-SA-00423November 10, 2020November 10, 2020
Intel® Thunderbolt™ DCH Drivers for Windows* AdvisoryINTEL-SA-00422November 10, 2020November 10, 2020
Intel® HID Event Filter Driver AdvisoryINTEL-SA-00421November 10, 2020November 10, 2020
Intel® QAT for Linux AdvisoryINTEL-SA-00420November 10, 2020November 10, 2020
Intel® Processor Identification Utility AdvisoryINTEL-SA-00419November 10, 2020November 10, 2020
Intel Unite® Cloud Service Client AdvisoryINTEL-SA-00418November 10, 2020November 10, 2020
Intel® Advisor tools AdvisoryINTEL-SA-00417November 10, 2020November 10, 2020
Intel® Falcon 8+ UAS AscTec Thermal Viewer AdvisoryINTEL-SA-00416November 10, 2020November 10, 2020
Intel® ADAS IE AdvisoryINTEL-SA-00415November 10, 2020November 10, 2020
Intel® NUC Firmware AdvisoryINTEL-SA-00414November 10, 2020November 10, 2020
Intel® SCS Add-on for Microsoft* AdvisoryINTEL-SA-00413November 10, 2020November 10, 2020
Intel® EMA AdvisoryINTEL-SA-00412November 10, 2020November 10, 2020
Intel® Computing Improvement Program AdvisoryINTEL-SA-00410November 10, 2020November 10, 2020
Intel® High Definition Audio AdvisoryINTEL-SA-00409November 10, 2020November 10, 2020
Intel® RealSense™ D400 Series Dynamic Calibration Tool AdvisoryINTEL-SA-00408November 10, 2020November 10, 2020
Intel® Wireless Bluetooth® AdvisoryINTEL-SA-00403November 10, 2020November 10, 2020
Intel® PROSet/Wireless WiFi Software AdvisoryINTEL-SA-00402November 10, 2020November 10, 2020
Intel® 50GbE IP Core for Intel® Quartus Prime AdvisoryINTEL-SA-00400November 10, 2020November 10, 2020
Intel® SGX DCAP Software AdvisoryINTEL-SA-00398November 10, 2020November 10, 2020
2020.2 IPU – Intel® CSME, SPS, TXE, and AMT AdvisoryINTEL-SA-00391November 10, 2020November 10, 2020
Intel BIOS Platform Sample Code AdvisoryINTEL-SA-00390November 10, 2020November 10, 2020
2020.2 IPU – Intel® RAPL Interface AdvisoryINTEL-SA-00389November 10, 2020November 10, 2020
Intel® Stratix® 10 FPGA SDM for Intel® Quartus® Prime Pro AdvisoryINTEL-SA-00388November 10, 2020November 10, 2020
2020.2 IPU – Intel® Processor AdvisoryINTEL-SA-00381November 10, 2020November 10, 2020
Intel® Ethernet 700 Series Controller AdvisoryINTEL-SA-00380November 10, 2020November 10, 2020
Intel® Visual Compute Accelerator 2 AdvisoryINTEL-SA-00368November 10, 2020November 10, 2020
Intel® SSD AdvisoryINTEL-SA-00362November 10, 2020November 10, 2020
Intel® PMC AdvisoryINTEL-SA-00360November 10, 2020November 10, 2020
2020.2 IPU – BIOS AdvisoryINTEL-SA-00358November 10, 2020November 10, 2020
Intel Unite® Client AdvisoryINTEL-SA-00350November 10, 2020November 10, 2020
Intel® Media SDK for Windows* AdvisoryINTEL-SA-00262November 10, 2020November 10, 2020

NVIDIA Security Bulletin

Security Bulletin: NVIDIA GeForce NOW – November 2020

Updated 11/10/2020 03:30 PM

NVIDIA has released a software update for NVIDIA® GeForce NOW™ application software on Windows. This update addresses a security issue that may lead to code execution or escalation of privileges.

To protect your system, open the GeForce NOW application to automatically download the update and follow the instructions for applying it. Alternatively, this update can be installed manually by following these instructions.

Go to NVIDIA Product Security.

Details

This section summarizes the potential impact that this security update addresses. Descriptions use CWE™, and base scores and vectors use CVSS V3.1 standards.

CVE IDsDescriptionBase ScoreVector
CVE‑2020‑5992NVIDIA GeForce NOW application software on Windows contains a vulnerability in its open-source software dependency in which the OpenSSL library is vulnerable to binary planting attacks by a local user, which may lead to code execution or escalation of privileges.7.3AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

The NVIDIA risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk to your local installation. NVIDIA recommends consulting a security or IT professional to evaluate the risk to your specific configuration.

Security Updates

The following table lists the NVIDIA software products affected, versions affected, and the updated version that includes this security update.

To protect your system, open the GeForce NOW application to automatically download the security update and follow the instructions for applying it. Alternatively, this update can be installed manually by following these instructions.

CVE ID AddressedSoftware ProductOperating SystemAffected VersionsUpdated Version
CVE‑2020‑5992GeForce NOW ApplicationWindowsAll versions prior to 2.0.25.1192.0.25.119

Mitigations

None. See Security Updates for the version to install.

Acknowledgements

NVIDIA thanks following individual for reporting the issue:

  • CVE‑2020‑5992: Hou JingYi (@hjy79425575) of Qihoo 360 CERT



Comment Policy
  • Comments must be written in English.
  • Comments deemed to be spam or solely promotional in nature will be deleted. Including a link to relevant content is permitted, but comments should be relevant to the post topic.
  • Comments containing language or concepts that could be deemed offensive will be deleted. Note this may include abusive, threatening, pornographic, offensive, misleading or libelous language.
  • A failure to comply with these rules will result in a warning and, in extreme cases, a ban.
  • Please note that comments that attack or harass an individual directly will be deleted and such comments will result in a ban.
  • VideoCardz Moderating Team reserves the right to edit or delete any comments submitted to the site without notice.
  • If you have any questions about the commenting policy, please let us know through the Contact Page.
Hide Comment Policy
Comments