Multiple vulnerabilities in Dell Networking BIOS drivers
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2021-0060 CVE-2021-0092 CVE-2022-21123 CVE-2022-21127 |
| CWE-ID | CWE-653 CWE-284 CWE-200 CWE-459 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software Subscribe |
N3200-ON Hardware solutions / Drivers N2200-ON Hardware solutions / Drivers VEP1485 Hardware solutions / Drivers VEP1445 Hardware solutions / Drivers VEP1425 Hardware solutions / Drivers Z9432F-ON Hardware solutions / Drivers Z9264F-ON Hardware solutions / Drivers S5448F-ON Hardware solutions / Drivers S5248F-ON Hardware solutions / Drivers S5232F-ON Hardware solutions / Drivers S5224F-ON Hardware solutions / Drivers S5212F-ON Hardware solutions / Drivers |
| Vendor | Dell |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Improper isolation or compartmentalization
EUVDB-ID: #VU60450
Risk: Low
CVSSv3.1: 6.6 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-0060
CWE-ID:
CWE-653 - Improper isolation or compartmentalization
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to escalate privileges on the system.
The vulnerability exists due to insufficient compartmentalization in HECI subsystem for the Intel(R) SPS. An attacker with physical access to the system can execute arbitrary code with elevated privileges.
Install update from vendor's website.
Vulnerable software versionsN3200-ON: before 3.45.0.9-8
N2200-ON: before 3.45.0.9-11
VEP1485: before 3.48.0.9-18
VEP1445: before 3.48.0.9-18
VEP1425: before 3.48.0.9-18
Z9432F-ON: before 3.51.0.D-12
Z9264F-ON: before 3.42.0.9-18
S5448F-ON: before 3.52.0.D-11
S5248F-ON: before 3.40.0.9-15
S5232F-ON: before 3.40.0.9-15
S5224F-ON: before 3.40.0.9-15
S5212F-ON: before 3.40.0.9-15
External linksQ & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper access control
EUVDB-ID: #VU60610
Risk: Low
CVSSv3.1: 4.1 [CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-0092
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in the firmware. A local administrator can bypass implemented security restrictions and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsN3200-ON: before 3.45.0.9-8
N2200-ON: before 3.45.0.9-11
VEP1485: before 3.48.0.9-18
VEP1445: before 3.48.0.9-18
VEP1425: before 3.48.0.9-18
Z9432F-ON: before 3.51.0.D-12
Z9264F-ON: before 3.42.0.9-18
S5448F-ON: before 3.52.0.D-11
S5248F-ON: before 3.40.0.9-15
S5232F-ON: before 3.40.0.9-15
S5224F-ON: before 3.40.0.9-15
S5212F-ON: before 3.40.0.9-15
External linksQ & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Information disclosure
EUVDB-ID: #VU64364
Risk: Low
CVSSv3.1: 5.2 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-21123
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows an attacker to gain access to potentially sensitive information.
The vulnerability exists in Intel processors due to excessive data output when DirectPath I/O (PCI-Passthrough) is utilized. An attacker (both local and remote) with administrative access to a virtual machine that has an attached DirectPath I/O (PCI-Passthrough) device can obtain information stored in physical memory about the hypervisor or other virtual machines that reside on the same host.
Install update from vendor's website.
Vulnerable software versionsN3200-ON: before 3.45.0.9-8
N2200-ON: before 3.45.0.9-11
VEP1485: before 3.48.0.9-18
VEP1445: before 3.48.0.9-18
VEP1425: before 3.48.0.9-18
Z9432F-ON: before 3.51.0.D-12
Z9264F-ON: before 3.42.0.9-18
S5448F-ON: before 3.52.0.D-11
S5248F-ON: before 3.40.0.9-15
S5232F-ON: before 3.40.0.9-15
S5224F-ON: before 3.40.0.9-15
S5212F-ON: before 3.40.0.9-15
External linksQ & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Incomplete cleanup
EUVDB-ID: #VU64376
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-21127
CWE-ID:
CWE-459 - Incomplete cleanup
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to sensitive information on the system.
The vulnerability exists due to incomplete cleanup in specific special register read operations. A local user can enable information disclosure.
MitigationInstall update from vendor's website.
Vulnerable software versionsN3200-ON: before 3.45.0.9-8
N2200-ON: before 3.45.0.9-11
VEP1485: before 3.48.0.9-18
VEP1445: before 3.48.0.9-18
VEP1425: before 3.48.0.9-18
Z9432F-ON: before 3.51.0.D-12
Z9264F-ON: before 3.42.0.9-18
S5448F-ON: before 3.52.0.D-11
S5248F-ON: before 3.40.0.9-15
S5232F-ON: before 3.40.0.9-15
S5224F-ON: before 3.40.0.9-15
S5212F-ON: before 3.40.0.9-15
External linksQ & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
