CVE-2020-24509

Vulnerability

A vulnerability in the control flow management of Intel(R) Server Platform Services (SPS) firmware, identified as CVE-2020-24509, allows insufficient validation of certain code paths. Affected versions include those before SPS_E3_05.01.04.300.0, SPS_SoC-A_05.00.03.091.0, SPS_E5_04.04.04.023.0, and SPS_E5_04.04.03.263.0. The issue resides in the SPS subsystem and is reachable by a local user with elevated privileges.

Exploitation

An attacker must have local access to the system and possess privileged user credentials (e.g., administrator or root-level access). Once authenticated, the attacker can exploit the insufficient control flow management to bypass intended security checks, potentially executing arbitrary code within the SPS firmware context.

Impact

Successful exploitation allows the attacker to escalate their privileges within the SPS environment, potentially gaining control over platform-level functions such as power management, boot integrity, or system configuration. This could lead to a full compromise of the platform's security boundaries.

Mitigation

Intel has released firmware updates to address this vulnerability: SPS_E3_05.01.04.300.0, SPS_SoC-A_05.00.03.091.0, SPS_E5_04.04.04.023.0, and SPS_E5_04.04.03.263.0. System administrators should update the Intel SPS firmware to the latest fixed versions. No workarounds have been provided, and the vulnerability is not currently listed in the KEV catalog [1].