Synology-SA-17:73 Intel TXE and ME
Publish Time: 2017-11-22 18:23:20 UTC+8
Last Updated: 2021-04-19 14:23:40 UTC+8
- Severity
- Moderate
- Status
- Resolved
Abstract
Multiple security vulnerabilities have been found in Intel Trusted Execution Technology (TXE) and Intel Manageability Engine (ME). These vulnerabilities may allow local attackers to execute arbitrary code causing a denial-of-service attack or obtain sensitive information from a vulnerable version of Synology DiskStation Manager (DSM).
Administrative privilege is required for these vulnerabilities to be exploited. Therefore, Synology has evaluated this issue to be of moderate severity.
Severity
- CVE-2017-5705
- Impact: Important
- CVSS3 Base Score: 8.2
- CVSS3 Base Metrics: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
- CVE-2017-5706
- Impact: Not Affected
- CVE-2017-5707
- Impact: Important
- CVSS3 Base Score: 8.2
- CVSS3 Base Metrics: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
- CVE-2017-5708
- Impact: Important
- CVSS3 Base Score: 7.5
- CVSS3 Base Metrics: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
- CVE-2017-5709
- Impact: Not Affected
- CVE-2017-5710
- Impact: Important
- CVSS3 Base Score: 7.5
- CVSS3 Base Metrics: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
- CVE-2017-5711
- Impact: Moderate
- CVSS3 Base Score: 6.7
- CVSS3 Base Metrics: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
- CVE-2017-5712
- Impact: Important
- CVSS3 Base Score: 7.2
- CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Affected
Products
- DSM 6.1
Models
- Plus Series
- 18-Series
- DS918+, DS718+, DS218+
- 18-Series
- Value Series
- 18-Series
- DS418play
- 18-Series
- Plus Series
Description
- CVE-2017-5705
Multiple buffer overflows in kernel in Intel Manageability Engine Firmware 11.0/11.5/11.6/11.7/11.10/11.20 allow attacker with local access to the system to execute arbitrary code. - CVE-2017-5706
Multiple buffer overflows in kernel in Intel Server Platform Services Firmware 4.0 allow attacker with local access to the system to execute arbitrary code. - CVE-2017-5707
Multiple buffer overflows in kernel in Intel Trusted Execution Engine Firmware 3.0 allow attacker with local access to the system to execute arbitrary code. - CVE-2017-5708
Multiple privilege escalations in kernel in Intel Manageability Engine Firmware 11.0/11.5/11.6/11.7/11.10/11.20 allow unauthorized process to access privileged content via unspecified vector. - CVE-2017-5709
Multiple privilege escalations in kernel in Intel Server Platform Services Firmware 4.0 allows unauthorized process to access privileged content via unspecified vector. - CVE-2017-5710
Multiple privilege escalations in kernel in Intel Trusted Execution Engine Firmware 3.0 allows unauthorized process to access privileged content via unspecified vector. - CVE-2017-5711
Multiple buffer overflows in Active Management Technology (AMT) in Intel Manageability Engine Firmware 8.x/9.x/10.x/11.0/11.5/11.6/11.7/11.10/11.20 allow attacker with local access to the system to execute arbitrary code with AMT execution privilege. - CVE-2017-5712
Buffer overflow in Active Management Technology (AMT) in Intel Manageability Engine Firmware 8.x/9.x/10.x/11.0/11.5/11.6/11.7/11.10/11.20 allows attacker with remote Admin access to the system to execute arbitrary code with AMT execution privilege.
Mitigation
None
Update Availability
Synology will release the updates for affected products.
Reference
- INTEL-SA-00086
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5705
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5706
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5707
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5708
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5709
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5710
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5711
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5712