Vulnerability Spotlight: Intel Raid Web Console 3 denial-of-service bugs

Vulnerability Spotlight: Intel Raid Web Console 3 denial-of-service bugs

Geoff Serrao of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered two denial-of-service vulnerabilities in the web API functionality of Intel RAID Web Console 3. The Raid Web Console is a web-based application that provides several


configuration functions for the Intel RAID line of products, which includes controllers and storage expanders. The console monitors, maintains and troubleshoots these products. An attacker could exploit both of these bugs by sending a malicious POST request to the API.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Intel to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details


Intel Raid Web Console 3 add server denial-of-service vulnerability (TALOS-2019-0894/CVE-2019-8688)

A remote, exploitable denial-of-service vulnerability exists in the web API functionality of Intel Raid Web Console 3. A specially crafted request can lead to a null pointer dereference in the Intel Raid Web Console server. This would result in a denial of service until the user restarts LSA.exe. A remote unauthenticated attacker can send a POST request to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

Intel Raid Web Console 3 DISCOVERY denial of service (TALOS-2019-0914/CVE-2020-8688)

An exploitable denial of service vulnerability exists in the web API functionality of Intel Raid Web Console 3. A specially crafted request can cause t ..