CVE-2018-3652 - Exposure of Sensitive Information to an Unauthorized Actor

Severity

76%

Complexity

9%

Confidentiality

100%

Existing UEFI setting restrictions for DCI (Direct Connect Interface) in 5th and 6th generation Intel Xeon Processor E3 Family, Intel Xeon Scalable processors, and Intel Xeon Processor D Family allows a limited physical presence attacker to potentially access platform secrets via debug interfaces.

Existing UEFI setting restrictions for DCI (Direct Connect Interface) in 5th and 6th generation Intel Xeon Processor E3 Family, Intel Xeon Scalable processors, and Intel Xeon Processor D Family allows a limited physical presence attacker to potentially access platform secrets via debug interfaces.

CVSS 3.1 Base Score 7.6. CVSS Attack Vector: physical. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

CVSS 2.0 Base Score 4.6. CVSS Attack Vector: local. CVSS Attack Complexity: low. CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:P).

Demo Examples

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

The following code checks validity of the supplied username and password and notifies the user of a successful or failed login.


               
}
}
print "Login Successful";
print "Login Failed - incorrect password";
print "Login Failed - unknown username";

In the above code, there are different messages for when an incorrect username is supplied, versus when the username is correct but the password is wrong. This difference enables a potential attacker to understand the state of the login function, and could allow an attacker to discover a valid username by trying different values until the incorrect password message is returned. In essence, this makes it easier for an attacker to obtain half of the necessary authentication credentials.

While this type of information may be helpful to a user, it is also useful to a potential attacker. In the above example, the message for both failed cases should be the same, such as:


               
"Login Failed - incorrect username or password"

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

This code tries to open a database connection, and prints any exceptions that occur.


               
}
openDbConnection();
//print exception message that includes exception message and configuration file location
echo 'Check credentials in config file at: ', $Mysql_config_location, '\n';

If an exception occurs, the printed message exposes the location of the configuration file the script is using. An attacker can use this information to target the configuration file (perhaps exploiting a Path Traversal weakness). If the file can be read, the attacker could gain credentials for accessing the database. The attacker may also be able to replace the file with a malicious one, causing the application to use an arbitrary database.

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

In the example below, the method getUserBankAccount retrieves a bank account object from a database using the supplied username and account number to query the database. If an SQLException is raised when querying the database, an error message is created and output to a log file.


               
}
return userAccount;
}
userAccount = (BankAccount)queryResult.getObject(accountNumber);
Logger.getLogger(BankManager.class.getName()).log(Level.SEVERE, logMessage, ex);

The error message that is created includes information about the database query that may contain sensitive information about the database or query logic. In this case, the error message will expose the table name and column names used in the database. This data could be used to simplify other attacks, such as SQL injection (CWE-89) to directly access the database.

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

This code stores location information about the current user:


               
}...
Log.e("ExampleActivity", "Caught exception: " + e + " While on User:" + User.toString());

When the application encounters an exception it will write the user object to the log. Because the user object contains location information, the user's location is also written to the log.

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

The following is an actual MySQL error statement:


               
Warning: mysql_pconnect(): Access denied for user: 'root@localhost' (Using password: N1nj4) in /usr/local/www/wi-data/includes/database.inc on line 4

The error clearly exposes the database credentials.

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

This code displays some information on a web page.


               
Social Security Number: <%= ssn %></br>Credit Card Number: <%= ccn %>

The code displays a user's credit card and social security numbers, even though they aren't absolutely necessary.

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

The following program changes its behavior based on a debug flag.


               
} %>

The code writes sensitive debug information to the client browser if the "debugEnabled" flag is set to true .

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

This code uses location to determine the user's current US State location.

First the application must declare that it requires the ACCESS_FINE_LOCATION permission in the application's manifest.xml:


               
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION"/>

During execution, a call to getLastLocation() will return a location based on the application's location permissions. In this case the application has permission for the most accurate location possible:


               
deriveStateFromCoords(userCurrLocation);

While the application needs this information, it does not need to use the ACCESS_FINE_LOCATION permission, as the ACCESS_COARSE_LOCATION permission will be sufficient to identify which US state the user is in.

Overview

Type

Intel

First reported 6 years ago

2018-07-10 21:29:00

Last updated 5 years ago

2020-04-28 12:17:00

Affected Software

Intel Xeon E3 1505M V6

1505m_v6

Intel Xeon E3 1515M V5

1515m_v5

Intel Xeon E3 1535M V5

1535m_v5

Intel Xeon E3 1535M V6

1535m_v6

Intel Xeon E3 1545M V5

1545m_v5

Intel Xeon E3 1558L V5

1558l_v5

Intel Xeon E3 1565L V5

1565l_v5

Intel Xeon E3 1575M V5

1575m_v5

Intel Xeon E3 1578L V5

1578l_v5

Intel Xeon E3 1585 V5

1585_v5

Intel Xeon E3 1585L V5

1585l_v5

Intel Xeon E3 1220 V5

Intel Xeon E3 1220 V6

Intel Xeon E3 1225 V5

Intel Xeon E3 1225 V6

Intel Xeon E3 1230 V5

Intel Xeon E3 1230 V6

Intel Xeon E3 1235L V5

Intel Xeon E3 1240 V5

Intel Xeon E3 1240 V6

Intel Xeon E3 1240l V5

Intel Xeon E3 1245 V5

Intel Xeon E3 1245 V6

Intel Xeon E3 1260L V5

Intel Xeon E3 1268L V5

Intel Xeon E3 1270 V5

Intel Xeon E3 1270 V6

Intel Xeon E3 1275 V5

Intel Xeon E3 1275 V6

Intel Xeon E3 1280 V5

Intel Xeon E3 1280 V6

Intel Xeon E3 1285 V6

Intel Xeon E3 1501L V6

Intel Xeon E3 1501M V6

Intel Xeon E3 1505L V5

Intel Xeon E3 1505L V6

Intel Xeon E3 1505M V5

Intel Xeon Bronze 3104

Intel Xeon Bronze 3106

Intel Xeon Gold 5115

5115

Intel Xeon Gold 5118

5118

Intel Xeon Gold 5119T

5119t

Intel Xeon Gold 5120

5120

Intel Xeon Gold 5120T

5120t

Intel Xeon Gold 5122

5122

Intel Xeon Gold 6126

6126

Intel Xeon Gold 6126F

6126f

Intel Xeon Gold 6126T

6126t

Intel Xeon Gold 6128

6128

Intel Xeon Gold 6130

6130

Intel Xeon Gold 6130F

6130f

Intel Xeon Gold 6130T

6130t

Intel Xeon Gold 6132

6132

Intel Xeon Gold 6134

6134

Intel Xeon Gold 6134M

6134m

Intel Xeon Gold 6136

6136

Intel Xeon Gold 6138

6138

Intel Xeon Gold 6138F

6138f

Intel Xeon Gold 6138T

6138t

Intel Xeon Gold 6140

6140

Intel Xeon Gold 6140M

6140m

Intel Xeon Gold 6142

6142

Intel Xeon Gold 6142F

6142f

Intel Xeon Gold 6142M

6142m

Intel Xeon Gold 6144

6144

Intel Xeon Gold 6146

6146

Intel Xeon Gold 6148

6148

Intel Xeon Gold 6148F

6148f

Intel Xeon Gold 6150

6150

Intel Xeon Gold 6152

6152

Intel Xeon Gold 6154

6154

Intel Xeon Platinum 8153

8153

Intel Xeon Platinum 8156

8156

Intel Xeon Platinum 8158

8158

Intel Xeon Platinum 8160

8160

Intel Xeon Platinum 8160F

8160f

Intel Xeon Platinum 8160M

8160m

Intel Xeon Platinum 8160T

8160t

Intel Xeon Platinum 8164

8164

Intel Xeon Platinum 8168

8168

Intel Xeon Platinum 8170

8170

Intel Xeon Platinum 8170M

8170m

Intel Xeon Platinum 8176

8176

Intel Xeon Platinum 8176F

8176f

Intel Xeon Platinum 8176M

8176m

Intel Xeon Platinum 8180

8180

Intel Xeon Silver 4108

4108

Intel Xeon Silver 4109T

4109t

Intel Xeon Silver 4110

4110

Intel Xeon Silver 4112

4112

Intel Xeon Silver 4114

4114

Intel Xeon Silver 4114T

4114t

Intel Xeon Silver 4116

4116

Intel Xeon Silver 4116T

4116t

Intel Atom C C2308

c2308

Intel Atom C C2316

c2316

Intel Atom C C2338

c2338

Intel Atom C C2350

c2350

Intel Atom C C2358

c2358

Intel Atom C C2508

c2508

Intel Atom C C2516

c2516

Intel Atom C C2518

c2518

Intel Atom C C2530

c2530

Intel Atom C C2538

c2538

Intel Atom C C2550

c2550

Intel Atom C C2558

c2558

Intel Atom C C2718

c2718

Intel Atom C C2730

c2730

Intel Atom C C2738

c2738

Intel Atom C C2750

c2750

Intel Atom C C2758

c2758

Intel Atom C C3308

c3308

Intel Atom C C3338

c3338

Intel Atom C C3508

c3508

Intel Atom C C3538

c3538

Intel Atom C C3558

c3558

Intel Atom C C3708

c3708

Intel Atom C C3750

c3750

Intel Atom C C3758

c3758

Intel Atom C C3808

c3808

Intel Atom C C3830

c3830

Intel Atom C C3850

c3850

Intel Atom C C3858

c3858

Intel Atom C C3950

c3950

Intel Atom C C3955

c3955

Intel Atom C C3958

c3958

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.