Intel® Ethernet Controller X710/XL710 NVM Security Vulnerability

Intel ID:  INTEL-SA-00063
Product family:  Intel® Ethernet Controller X710 family and Intel® Ethernet Controller XL710 family
Impact of vulnerability Denial of Service
Severity rating Important
Original release:  Jan 09, 2017
Last revised:  Jan 09, 2017
Summary: 

A security vulnerability in the Intel® Ethernet Controller X710 and Intel® Ethernet Controller XL710 family of products (Fortville) has been found in the Non-Volatile Flash Memory (NVM) image. 

Description: 

A security vulnerability in the Intel® Ethernet Controller X710 and Intel® Ethernet Controller XL710 family of products (Fortville) has been found in the Non-Volatile Flash Memory (NVM) image.  Under certain use conditions the Ethernet controller will stop sending and receiving data until the controller is reset.  All NVM versions 5.04 and earlier contain this vulnerability which is fully mitigated in NVM version 5.05. 

This exploit rates a CVSSv3 ranking of 7.5 High.  CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H            

Affected products: 

Silicon Product

MM#

S SPEC #

Current Available Firmware Version

Mitigation Available to OEM by:

Intel® Ethernet Controller X710-AM2

936553

SR1ZP

v5.04

For the v5.05 firmware update please use the Network Update Tool available from the Intel Download Center at insert https://downloadcenter.intel.com

Intel® Ethernet Controller X710-AM2

936554

SR1ZQ

Intel® Ethernet Controller X710-BM2

947361

SLLKC

Intel® Ethernet Controller X710-BM2

947359

SLLKB

Intel® Ethernet Controller XL710-AM1

936551

SR1ZM

Intel® Ethernet Controller XL710-AM1

936552

SR1ZN

Intel® Ethernet Controller XL710-BM1

947353

SLLKA

Intel® Ethernet Controller XL710-BM1

947351

SLLK9

Intel® Ethernet Controller XL710-AM2

936549

SR1ZK

Intel® Ethernet Controller XL710-AM2

936550

SR1ZL

Intel® Ethernet Controller XL710-BM2

947349

SLLK8

Intel® Ethernet Controller XL710-BM2

947348

SLLK7

Adapter Product

MM#

Order Code

Current Available Firmware Version

Mitigation Available to OEM by:

Intel® Ethernet Converged Network Adapter XL710-QDA2

945036

ECO#8680034

XL710QDA2G2P5

v5.04

For the v5.05 NVM update please use the NNV Update Tool available from CDI https://downloadcenter.intel.com

Intel® Eth Converged Ntwk Adptr XL710-QDA2, open optic

943446

EXL710QDA2G1P5

v5.04

Intel® Ethernet Converged Network Adapter XL710-QDA2

932586

XL710QDA2

v5.04

Intel® Ethernet Converged Network Adapter XL710-QDA2

932587

XL710QDA2BLK

v5.04

Intel® Ethernet Converged Network Adapter XL710-QDA1

945035

ECO#8754933

XL710QDA1G2P5

v5.04

Intel® Eth Converged Ntwk Adptr XL710-QDA1, open optic

943445

EXL710QDA1G1P5

v5.04

Intel® Ethernet Converged Network Adapter XL710-QDA1

932583

XL710QDA1

v5.04

Intel® Ethernet Converged Network Adapter XL710-QDA1

932584

XL710QDA1BLK

v5.04

Intel® Ethernet Converged Network Adapter X710-DA2

945034

ECO#8754788

X710DA2G2P5

v5.04

Intel® Eth Converged Ntwk Adptr X710-DA2, open optic

944042

EX710DA2G1P5

v5.04

Intel® Ethernet Converged Network Adapter X710-DA2

933206

X710DA2

v5.04

Intel® Ethernet Converged Network Adapter X710-DA2

933217

X710DA2BLK

v5.04

Intel® Ethernet Converged Network Adapter X710-DA4

945062

ECO#8754936

X710DA4FHG2P5

v5.04

Intel® Eth Converged Ntwk Adptr X710-DA4, open optic

944040

EX710DA4FHG1P5

v5.04

Intel® Ethernet Converged Network Adapter X710-DA4

932575

X710DA4FH

v5.04

Intel® Ethernet Converged Network Adapter X710-DA4

932576

X710DA4FHBLK

v5.04

Intel® Ethernet Converged Network Adapter X710-DA4

945033

ECO#8754937

X710DA4G2P5

v5.04

Intel® Eth Converged Ntwk Adptr X710-DA4, open optic

944041

EX710DA4G1P5

v5.04

Intel Ethernet I/O Module XL710-QDA2

933743

AXX2P40FRTIOM

v5.04

Intel Ethernet I/O Module XL710-QDA1

933742

AXX1P40FRTIOM

v5.04

Recommendations: 

Intel highly recommends updating to Intel® NVM version 5.05 or newer available at https://downloadcenter.intel.com or https://downloadcenter.intel.com/download/24769/

Acknowledgements: 

Intel became aware of this issue working closely with our validation partners.

Revision history: 

Revision
Date
Description
1.0
09-January-2017
Initial Release

CVE Name:  CVE-2016-8106

Disclaimer:

INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” IN CONNECTION WITH INTEL® PRODUCTS. YOUR USE OF THE INFORMATION IN THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. INTEL RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. EXCEPT AS PROVIDED IN INTEL’S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER, AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT.



Reporting a security issue

If you have information about a security issue or vulnerability with an Intel product, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

  • The products and versions affected
  • Detailed description of the vulnerability
  • Information on known exploits

  • A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

  • Vulnerability handling guidelines

  • Need product support?
    The secure@intel.com e-mail address should only be used for reporting security issues.

    If you...
  • Have questions about the security features of an Intel product
  • Require technical support
  • Want product updates or patches

  • Please visit Support & Downloads.