CVE-2019-11109

Vulnerability

A logic issue exists in the Intel(R) Server Platform Services (SPS) subsystem before versions SPS_E5_04.01.04.275.0, SPS_SoC-X_04.00.04.100.0, and SPS_SoC-A_04.00.04.191.0. This flaw is located in the SPS firmware, which provides out-of-band management and platform services for Intel server platforms. The affected versions are used on various Intel server product lines. The vulnerability is reachable by a local user with privileged access, such as system administrator or management console operator privileges [1].

Exploitation

To exploit this vulnerability, an attacker must have local access to the affected system and possess privileged user credentials (e.g., administrative or root-level access). With these privileges, the attacker can leverage the logic issue in the SPS firmware to trigger a condition that leads to a denial of service. The exact sequence of steps is not detailed in the reference, but the attack vector is local, requiring direct system interaction [1].

Impact

Successful exploitation allows the privileged attacker to cause a denial of service (DoS) condition. This can render the platform or its management functions unavailable, potentially affecting system availability and disrupting operations. The impact is limited to availability; confidentiality and integrity are not directly compromised according to the advisory [1].

Mitigation

Intel released updated firmware versions to address the issue. The fixed versions are SPS_E5_04.01.04.275.0, SPS_SoC-X_04.00.04.100.0, and SPS_SoC-A_04.00.04.191.0. Users should update their SPS firmware to the appropriate patched version for their platform, as identified by Intel in their advisory [1]. No workarounds are detailed in the reference. As of the publication date, no known active exploitation in the wild has been reported.