Multiple vulnerabilities in Intel BIOS firmware for Intel processors
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 6 |
| CVE-ID | CVE-2022-26343 CVE-2022-30539 CVE-2022-32231 CVE-2022-26837 CVE-2022-30704 CVE-2021-0187 |
| CWE-ID | CWE-284 CWE-416 CWE-665 CWE-20 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software Subscribe |
2nd Generation Intel Xeon Scalable Processors Hardware solutions / Firmware Intel Xeon D Processors Hardware solutions / Firmware Intel Xeon Processor D 1500 Hardware solutions / Firmware Intel Xeon Platinum P-8124 processors Hardware solutions / Firmware Intel Xeon Platinum P-8136 processors Hardware solutions / Firmware 3rd Generation Intel Xeon Scalable Processors Hardware solutions / Firmware Intel Xeon E Processors Hardware solutions / Firmware 11th Generation Intel Core Processors Hardware solutions / Firmware Intel Xeon W Processors Hardware solutions / Firmware 12th Generation Intel Core Processors Hardware solutions / Firmware Intel Pentium Gold Processor Series Hardware solutions / Firmware Intel Celeron Processors Hardware solutions / Firmware 10th Generation Intel Core Processors Hardware solutions / Firmware Intel Xeon E-2300 processor family Hardware solutions / Firmware Intel Xeon Scalable Processors Hardware solutions / Other hardware appliances |
| Vendor | Intel |
Security Bulletin
This security bulletin contains information about 6 vulnerabilities.
1) Improper access control
EUVDB-ID: #VU72449
Risk: Low
CVSSv3.1: 6.9 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-26343
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper access restrictions in the BIOS firmware. A local privileged user can execute arbitrary code with elevated privileges.
Install updates from vendor's website.
Vulnerable software versions2nd Generation Intel Xeon Scalable Processors: All versions
Intel Xeon D Processors: All versions
Intel Xeon Scalable Processors: All versions
Intel Xeon Processor D 1500: All versions
Intel Xeon Platinum P-8124 processors: All versions
Intel Xeon Platinum P-8136 processors: All versions
External linkshttp://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00717.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Use-after-free
EUVDB-ID: #VU72450
Risk: Low
CVSSv3.1: 7.1 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-30539
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error in the BIOS firmware. A local user can execute arbitrary code with elevated privileges.
Install updates from vendor's website.
Vulnerable software versions3rd Generation Intel Xeon Scalable Processors: All versions
External linkshttp://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00717.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper Initialization
EUVDB-ID: #VU72451
Risk: Low
CVSSv3.1: 6.5 [CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-32231
CWE-ID:
CWE-665 - Improper Initialization
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper initialization in the BIOS firmware. A local user can run a specially crafted application to execute arbitrary code with escalated privileges on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsIntel Xeon Scalable Processors: All versions
3rd Generation Intel Xeon Scalable Processors: All versions
2nd Generation Intel Xeon Scalable Processors: All versions
External linkshttp://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00717.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Input validation error
EUVDB-ID: #VU72452
Risk: Low
CVSSv3.1: 6.5 [CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-26837
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to insufficient validation of user-supplied input in the BIOS firmware. A local user can execute arbitrary code with elevated privileges.
Install updates from vendor's website.
Vulnerable software versions3rd Generation Intel Xeon Scalable Processors: All versions
Intel Xeon E Processors: All versions
11th Generation Intel Core Processors: All versions
Intel Xeon W Processors: All versions
External linkshttp://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00717.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Improper Initialization
EUVDB-ID: #VU72453
Risk: Low
CVSSv3.1: 5 [CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-30704
CWE-ID:
CWE-665 - Improper Initialization
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper initialization in the Intel(R) TXT SINIT ACM. A local user can run a specially crafted application to execute arbitrary code with escalated privileges on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versions11th Generation Intel Core Processors: All versions
12th Generation Intel Core Processors: All versions
Intel Pentium Gold Processor Series: All versions
Intel Celeron Processors: All versions
10th Generation Intel Core Processors: All versions
Intel Xeon E-2300 processor family: All versions
Intel Xeon W Processors: All versions
External linkshttp://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00717.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Improper access control
EUVDB-ID: #VU72455
Risk: Low
CVSSv3.1: 2.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-0187
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper access restrictions in the BIOS firmware. A local user can execute arbitrary code with elevated privileges.
Install updates from vendor's website.
Vulnerable software versions3rd Generation Intel Xeon Scalable Processors: All versions
External linkshttp://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00717.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
