Multiple vulnerabilities in Intel Server Boards BMC Firmware

Published: 2022-12-06

Risk	High
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2022-40242 CVE-2022-2827
CWE-ID	CWE-522 CWE-284
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	Intel Server Board M10JNP2SB Hardware solutions / Firmware Intel Server Board M20NTP Hardware solutions / Firmware Intel Server Board M70KLP2SB Hardware solutions / Firmware
Vendor

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Insufficiently protected credentials

EUVDB-ID: #VU69915

Risk: High

CVSSv3.1: 7.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-40242

CWE-ID: CWE-522 - Insufficiently Protected Credentials

Exploit availability: No

Description

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to insufficiently protected credentials, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Intel Server Board M10JNP2SB: before 1.11

Intel Server Board M20NTP: before 0027

Intel Server Board M70KLP2SB: before 4.15

External links

http://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00801.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improper access control

EUVDB-ID: #VU69917

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-2827

CWE-ID: CWE-284 - Improper Access Control