As the BSI reports, vulnerabilities have been identified for the Intel Graphics Driver. You can read here on news.de which systems and products are affected by the security gaps.
The Federal Office for Security in der Informationstechnik (BSI) published an update on April 3rd, 2023 to a vulnerability with several vulnerabilities for Intel Graphics Driver that became known on February 10th, 2021. The operating systems BIOS/firmware and Appliance as well as the products Avaya one-X, Open Source CentOS, Debian Linux, Red Hat Enterprise Linux, SUSE Linux, Oracle Linux, Dell Computer, Lenovo Computer, Intel Graphics Driver, Avaya Aura are affected by the vulnerability Communication Manager, Avaya Aura Session Manager, Avaya Aura Application Enablement Services, Avaya Aura System Manager, Avaya Aura Experience Portal, Avaya Session Border Controller, Avaya Breeze Platform and Avaya Web License Manager.
The latest manufacturer recommendations regarding updates, workarounds and security patches for this vulnerability can be found here: Debian Security Advisory DLA-3380 (Status: 01.04.2023). Other useful sources are listed later in this article.
Multiple Intel Graphics Driver vulnerabilities – risk: high
Risk level: 5 (high)
CVSS Base Score: 8,8
CVSS Temporal Score: 7,7
Remote Attack: No
The Common Vulnerability Scoring System (CVSS) is used to assess the severity of security vulnerabilities in computer systems. The CVSS standard makes it possible to compare potential or actual security vulnerabilities based on various criteria in order to create a priority list based on this for initiating countermeasures. The attributes “none”, “low”, “medium”, “high” and “critical” are used for the severity of a vulnerability. The base score assesses the prerequisites for an attack (including authentication, complexity, privileges, user interaction) and its consequences. With the temporal score, framework conditions that change over time are included in the evaluation. The risk of the current vulnerability is classified as “high” according to the CVSS with a base score of 8.8.
Intel Graphics Driver Bug: Description of the attack
Intel is a manufacturer of graphics cards. A graphics driver is software that allows interaction with connected, built-in (hardware) or virtual devices.
A local attacker can exploit multiple vulnerabilities in the Intel Graphics Driver to increase privileges, disclose information, or induce a denial of service condition.
The vulnerability is identified with the individual CVE serial numbers (Common Vulnerabilities and Exposures) CVE-2020-0518, CVE-2020-0521, CVE-2020-0544, CVE-2020-12361, CVE-2020-12362, CVE-2020-12363, CVE-2020-12364, CVE-2020-12365, CVE-2020-12366, CVE-2020-12367, CVE-2020-12368, CVE-2020-12369, CVE-2020-12370, CVE-2020-12371, CVE-2020-12372, CVE-2020-12373, CVE-2020-12384, CVE-2020-12385, CVE-2020-12386, CVE-2020-24448, CVE-2020-24450 und CVE-2020-8678 traded.
Systems affected by the vulnerability at a glance
systems
BIOS/Firmware, Appliance
Products
Avaya one-X (cpe:/a:avaya:one-x)
Open Source CentOS (cpe:/o:centos:centos)
Debian Linux (cpe:/o:debian:debian_linux)
Red Hat Enterprise Linux (cpe:/o:redhat:enterprise_linux)
SUSE Linux (cpe:/o:suse:suse_linux)
Oracle Linux (cpe:/o:oracle:linux)
Dell Computer (cpe:/o:dell:dell_computer)
Lenovo Computer (cpe:/o:lenovo:lenovo_computer)
Intel Graphics Driver (cpe:/a:intel:graphic_driver)
Avaya Aura Communication Manager (cpe:/a:avaya:communication_manager)
Avaya Aura Session Manager (cpe:/a:avaya:session_manager)
Avaya Aura Application Enablement Services (cpe:/a:avaya:aura_application_enablement_services)
Avaya Aura System Manager (cpe:/a:avaya:aura_system_manager)
Avaya Aura Experience Portal (cpe:/a:avaya:aura_experience_portal)
Avaya Session Border Controller (cpe:/h:avaya:session_border_controller)
Avaya Breeze Platform (cpe:/a:avaya:breeze_platform)
Avaya Web License Manager (cpe:/a:avaya:web_license_manager)
General measures for dealing with IT security gaps
-
Users of the affected systems should keep them up to date. When security gaps become known, manufacturers are required to remedy them as quickly as possible by developing a patch or a workaround. If new security updates are available, install them promptly.
-
For information, consult the sources listed in the next section. These often contain further information on the latest version of the software in question and the availability of security patches or tips on workarounds.
-
If you have any further questions or are uncertain, please contact your responsible administrator. IT security managers should regularly check when the manufacturing company makes a new security update available.
Manufacturer information on updates, patches and workarounds
Here you will find further links with information about bug reports, security fixes and workarounds.
Debian Security Advisory DLA-3380 vom 2023-04-01 (03.04.2023)
For more information, see: https://lists.debian.org/debian-lts-announce/2023/04/msg00002.html
Oracle Linux Security Advisory ELSA-2021-9434 vom 2021-08-30 (31.08.2021)
For more information, see: http://linux.oracle.com/errata/ELSA-2021-9434.html
AVAYA Security Advisory ASA-2021-100 vom 2021-08-25 (27.08.2021)
For more information, see: https://downloads.avaya.com/css/P8/documents/101077234
AVAYA Security Advisory ASA-2021-083 vom 2021-08-18 (20.08.2021)
For more information, see: https://downloads.avaya.com/css/P8/documents/101077149
AVAYA Security Advisory ASA-2021-083 vom 2021-08-18 (20.08.2021)
For more information, see: https://downloads.avaya.com/css/P8/documents/101077148
Red Hat Security Advisory RHSA-2021:3119 vom 2021-08-10 (11.08.2021)
For more information, see: https://access.redhat.com/errata/RHSA-2021:3119
Red Hat Security Advisory RHSA-2021:2735 vom 2021-07-20 (21.07.2021)
For more information, see: https://access.redhat.com/errata/RHSA-2021:2735
Red Hat Security Advisory RHSA-2021:2523 vom 2021-06-22 (23.06.2021)
For more information, see: https://access.redhat.com/errata/RHSA-2021:2523
Red Hat Security Advisory RHSA-2021:2461 vom 2021-06-16 (17.06.2021)
For more information, see: https://access.redhat.com/errata/RHSA-2021:2461
CentOS Security Advisory CESA-2021:2314 vom 2021-06-14 (15.06.2021)
For more information, see: http://centos-announce.2309468.n4.nabble.com/CentOS-announce-CESA-2021-2314-Important-CentOS-7-kernel-Security-Update-tp4646206.html
Oracle Linux Security Advisory ELSA-2021-2314 vom 2021-06-10 (10.06.2021)
For more information, see: https://linux.oracle.com/errata/ELSA-2021-2314.html
Red Hat Security Advisory RHSA-2021:2355 vom 2021-06-09 (09.06.2021)
For more information, see: https://access.redhat.com/errata/RHSA-2021:2355
Red Hat Security Advisory RHSA-2021:2314 vom 2021-06-09 (09.06.2021)
For more information, see: https://access.redhat.com/errata/RHSA-2021:2314
Red Hat Security Advisory RHSA-2021:2316 vom 2021-06-09 (09.06.2021)
For more information, see: https://access.redhat.com/errata/RHSA-2021:2316
Red Hat Security Advisory RHSA-2021:2293 vom 2021-06-08 (09.06.2021)
For more information, see: https://access.redhat.com/errata/RHSA-2021:2293
Red Hat Security Advisory RHSA-2021:2185 vom 2021-06-02 (02.06.2021)
For more information, see: https://access.redhat.com/errata/RHSA-2021:2185
Red Hat Security Advisory RHSA-2021:2190 vom 2021-06-01 (02.06.2021)
For more information, see: https://access.redhat.com/errata/RHSA-2021:2190
Red Hat Security Advisory RHSA-2021:2164 vom 2021-06-01 (01.06.2021)
For more information, see: https://access.redhat.com/errata/RHSA-2021:2164
Red Hat Security Advisory RHSA-2021:2106 vom 2021-05-25 (26.05.2021)
For more information, see: https://access.redhat.com/errata/RHSA-2021:2106
Red Hat Security Advisory RHSA-2021:1620 vom 2021-05-18 (19.05.2021)
For more information, see: https://access.redhat.com/errata/RHSA-2021:1620
Red Hat Security Advisory RHSA-2021:1578 vom 2021-05-18 (19.05.2021)
For more information, see: https://access.redhat.com/errata/RHSA-2021:1578
Red Hat Security Advisory RHSA-2021:1739 vom 2021-05-18 (19.05.2021)
For more information, see: https://access.redhat.com/errata/RHSA-2021:1739
SUSE Security Update SUSE-SU-2021:0735-1 vom 2021-03-09 (10.03.2021)
For more information, see: https://lists.suse.com/pipermail/sle-security-updates/2021-March/008450.html
SUSE Security Update SUSE-SU-2021:0741-1 vom 2021-03-09 (10.03.2021)
For more information, see: https://lists.suse.com/pipermail/sle-security-updates/2021-March/008452.html
SUSE Security Update SUSE-SU-2021:0738-1 vom 2021-03-09 (10.03.2021)
For more information, see: https://lists.suse.com/pipermail/sle-security-updates/2021-March/008445.html
SUSE Security Update SUSE-SU-2021:0694-1 vom 2021-03-03 (04.03.2021)
For more information, see: https://lists.suse.com/pipermail/sle-security-updates/2021-March/008432.html
EMC Security Advisory DSA-2021-028 vom 2021-02-10 (11.02.2021)
For more information, see: https://www.dell.com/support/kbdoc/de-de/000182803/dsa-2021-028-dell-client-platform-security-update-security-advisory-for-intel-graphics-driver-vulnerabilities
Lenovo Security Advisory (10.02.2021)
For more information, see: https://support.lenovo.com/de/de/product_security/ps500393-intel-graphics-drivers-advisory
Intel Security Advisory: INTEL-SA-00438 vom 2021-02-09 (10.02.2021)
For more information, see: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00438.html
Version history of this security alert
This is the 19th version of this IT Security Advisory for Intel Graphics Driver. As further updates are announced, this text will be updated. You can understand the changes made using the following version history.
February 10, 2021 – Initial version
02/11/2021 – Added new updates from EMC
03/04/2021 – Added new updates from SUSE
03/10/2021 – Added new updates from SUSE
05/19/2021 – Added new updates from Red Hat
05/26/2021 – Added new updates from Red Hat
06/01/2021 – Added new updates from Red Hat
06/02/2021 – Added new updates from Red Hat
06/09/2021 – Added new updates from Red Hat
06/10/2021 – Added new updates of Oracle Linux
06/15/2021 – Added new updates of CentOS
06/17/2021 – Added new updates from Red Hat
06/23/2021 – Added new updates from Red Hat
07/21/2021 – Added new updates from Red Hat
08/11/2021 – Added new updates from Red Hat
08/20/2021 – Added new updates from AVAYA
08/27/2021 – Added new updates from AVAYA
08/31/2021 – Added new updates of Oracle Linux
04/03/2023 – Added new updates from Debian
+++ Editorial note: This text was created with the help of AI on the basis of current BSI data. We accept feedback and comments at [email protected]. +++
follow News.de already at Facebook, Twitter, Pinterest and YouTube? Here you will find the latest news, the latest videos and the direct line to the editors.
roj/news.de