Multiple vulnerabilities in Dell PowerEdge Server firmware



Risk Low
Patch available YES
Number of vulnerabilities 12
CVE-ID CVE-2022-21216
CVE-2022-32231
CVE-2022-30704
CVE-2022-26837
CVE-2022-26343
CVE-2021-0187
CVE-2022-30539
CVE-2022-36348
CVE-2022-36794
CVE-2022-33972
CVE-2022-33196
CVE-2022-38090
CWE-ID CWE-284
CWE-665
CWE-20
CWE-416
CWE-749
CWE-755
CWE-682
CWE-276
CWE-653
Exploitation vector Local network
Public exploit N/A
Vulnerable software
PowerEdge R340
Hardware solutions / Firmware

PowerEdge R240
Hardware solutions / Firmware

PowerEdge T340
Hardware solutions / Firmware

PowerEdge T140
Hardware solutions / Firmware

PowerEdge XE7440
Hardware solutions / Firmware

PowerEdge XE7420
Hardware solutions / Firmware

PowerEdge XE2420
Hardware solutions / Firmware

PowerEdge DSS8440
Hardware solutions / Firmware

PowerEdge C4140
Hardware solutions / Firmware

PowerEdge MX840C
Hardware solutions / Firmware

PowerEdge MX740C
Hardware solutions / Firmware

PowerEdge M640P
Hardware solutions / Firmware

PowerEdge M640
Hardware solutions / Firmware

PowerEdge FC640
Hardware solutions / Firmware

PowerEdge C6420
Hardware solutions / Firmware

PowerEdge T640
Hardware solutions / Firmware

PowerEdge R940XA
Hardware solutions / Firmware

PowerEdge R840
Hardware solutions / Firmware

PowerEdge R740XD2
Hardware solutions / Firmware

PowerEdge XR2
Hardware solutions / Firmware

PowerEdge T440
Hardware solutions / Firmware

PowerEdge R440
Hardware solutions / Firmware

PowerEdge R540
Hardware solutions / Firmware

PowerEdge R940
Hardware solutions / Firmware

PowerEdge R640
Hardware solutions / Firmware

PowerEdge R740XD
Hardware solutions / Firmware

PowerEdge R740
Hardware solutions / Firmware

PowerEdge T150
Hardware solutions / Firmware

PowerEdge R250
Hardware solutions / Firmware

PowerEdge T350
Hardware solutions / Firmware

PowerEdge R350
Hardware solutions / Firmware

PowerEdge XR12
Hardware solutions / Firmware

PowerEdge XR11
Hardware solutions / Firmware

PowerEdge R750XS
Hardware solutions / Firmware

PowerEdge R650XS
Hardware solutions / Firmware

PowerEdge R450
Hardware solutions / Firmware

PowerEdge T550
Hardware solutions / Firmware

PowerEdge R550
Hardware solutions / Firmware

PowerEdge MX750c
Hardware solutions / Firmware

PowerEdge C6520
Hardware solutions / Firmware

PowerEdge R650
Hardware solutions / Firmware

PowerEdge R750XA
Hardware solutions / Firmware

PowerEdge R750
Hardware solutions / Firmware

Vendor Dell

Security Bulletin

This security bulletin contains information about 12 vulnerabilities.

1) Improper access control

EUVDB-ID: #VU72448

Risk: Low

CVSSv4.0: 4.5 [CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-21216

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in out-of-band management in Intel processors. A remote privileged user on the local network can bypass implemented security restrictions and gain unauthorized access to the application.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerEdge R340: before 2.12.2

PowerEdge R240: before 2.12.2

PowerEdge T340: before 2.12.2

PowerEdge T140: before 2.12.2

PowerEdge XE7440: before 2.17.1

PowerEdge XE7420: before 2.17.1

PowerEdge XE2420: before 2.17.1

PowerEdge DSS8440: before 2.17.1

PowerEdge C4140: before 2.17.1

PowerEdge MX840C: before 2.17.1

PowerEdge MX740C: before 2.17.1

PowerEdge M640P: before 2.17.1

PowerEdge M640: before 2.17.1

PowerEdge FC640: before 2.17.1

PowerEdge C6420: before 2.17.1

PowerEdge T640: before 2.17.1

PowerEdge R940XA: before 2.17.1

PowerEdge R840: before 2.17.1

PowerEdge R740XD2: before 2.17.1

PowerEdge XR2: before 2.17.1

PowerEdge T440: before 2.17.1

PowerEdge R440: before 2.17.1

PowerEdge R540: before 2.17.1

PowerEdge R940: before 2.17.1

PowerEdge R640: before 2.17.1

PowerEdge R740XD: before 2.17.1

PowerEdge R740: before 2.17.1

PowerEdge T150: before 1.5.0

PowerEdge R250: before 1.5.0

PowerEdge T350: before 1.5.0

PowerEdge R350: before 1.5.0

PowerEdge XR12: before 1.9.2

PowerEdge XR11: before 1.9.2

PowerEdge R750XS: before 1.9.2

PowerEdge R650XS: before 1.9.2

PowerEdge R450: before 1.9.2

PowerEdge T550: before 1.9.2

PowerEdge R550: before 1.9.2

PowerEdge MX750c: before 1.9.2

PowerEdge C6520: before 1.9.2

PowerEdge R650: before 1.9.2

PowerEdge R750XA: before 1.9.2

PowerEdge R750: before 1.9.2

CPE2.3 External links

https://www.dell.com/support/kbdoc/nl-nl/000209268/dsa-2023-014-dell-poweredge-server-security-update-for-intel-february-2023-security-advisories-2023-1-ipu


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improper Initialization

EUVDB-ID: #VU72451

Risk: Low

CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-32231

CWE-ID: CWE-665 - Improper Initialization

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper initialization in the BIOS firmware. A local user can run a specially crafted application to execute arbitrary code with escalated privileges on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerEdge R340: before 2.12.2

PowerEdge R240: before 2.12.2

PowerEdge T340: before 2.12.2

PowerEdge T140: before 2.12.2

PowerEdge XE7440: before 2.17.1

PowerEdge XE7420: before 2.17.1

PowerEdge XE2420: before 2.17.1

PowerEdge DSS8440: before 2.17.1

PowerEdge C4140: before 2.17.1

PowerEdge MX840C: before 2.17.1

PowerEdge MX740C: before 2.17.1

PowerEdge M640P: before 2.17.1

PowerEdge M640: before 2.17.1

PowerEdge FC640: before 2.17.1

PowerEdge C6420: before 2.17.1

PowerEdge T640: before 2.17.1

PowerEdge R940XA: before 2.17.1

PowerEdge R840: before 2.17.1

PowerEdge R740XD2: before 2.17.1

PowerEdge XR2: before 2.17.1

PowerEdge T440: before 2.17.1

PowerEdge R440: before 2.17.1

PowerEdge R540: before 2.17.1

PowerEdge R940: before 2.17.1

PowerEdge R640: before 2.17.1

PowerEdge R740XD: before 2.17.1

PowerEdge R740: before 2.17.1

PowerEdge T150: before 1.5.0

PowerEdge R250: before 1.5.0

PowerEdge T350: before 1.5.0

PowerEdge R350: before 1.5.0

PowerEdge XR12: before 1.9.2

PowerEdge XR11: before 1.9.2

PowerEdge R750XS: before 1.9.2

PowerEdge R650XS: before 1.9.2

PowerEdge R450: before 1.9.2

PowerEdge T550: before 1.9.2

PowerEdge R550: before 1.9.2

PowerEdge MX750c: before 1.9.2

PowerEdge C6520: before 1.9.2

PowerEdge R650: before 1.9.2

PowerEdge R750XA: before 1.9.2

PowerEdge R750: before 1.9.2

CPE2.3 External links

https://www.dell.com/support/kbdoc/nl-nl/000209268/dsa-2023-014-dell-poweredge-server-security-update-for-intel-february-2023-security-advisories-2023-1-ipu


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Improper Initialization

EUVDB-ID: #VU72453

Risk: Low

CVSSv4.0: 3.7 [CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-30704

CWE-ID: CWE-665 - Improper Initialization

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper initialization in the Intel(R) TXT SINIT ACM. A local user can run a specially crafted application to execute arbitrary code with escalated privileges on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerEdge R340: before 2.12.2

PowerEdge R240: before 2.12.2

PowerEdge T340: before 2.12.2

PowerEdge T140: before 2.12.2

PowerEdge XE7440: before 2.17.1

PowerEdge XE7420: before 2.17.1

PowerEdge XE2420: before 2.17.1

PowerEdge DSS8440: before 2.17.1

PowerEdge C4140: before 2.17.1

PowerEdge MX840C: before 2.17.1

PowerEdge MX740C: before 2.17.1

PowerEdge M640P: before 2.17.1

PowerEdge M640: before 2.17.1

PowerEdge FC640: before 2.17.1

PowerEdge C6420: before 2.17.1

PowerEdge T640: before 2.17.1

PowerEdge R940XA: before 2.17.1

PowerEdge R840: before 2.17.1

PowerEdge R740XD2: before 2.17.1

PowerEdge XR2: before 2.17.1

PowerEdge T440: before 2.17.1

PowerEdge R440: before 2.17.1

PowerEdge R540: before 2.17.1

PowerEdge R940: before 2.17.1

PowerEdge R640: before 2.17.1

PowerEdge R740XD: before 2.17.1

PowerEdge R740: before 2.17.1

PowerEdge T150: before 1.5.0

PowerEdge R250: before 1.5.0

PowerEdge T350: before 1.5.0

PowerEdge R350: before 1.5.0

PowerEdge XR12: before 1.9.2

PowerEdge XR11: before 1.9.2

PowerEdge R750XS: before 1.9.2

PowerEdge R650XS: before 1.9.2

PowerEdge R450: before 1.9.2

PowerEdge T550: before 1.9.2

PowerEdge R550: before 1.9.2

PowerEdge MX750c: before 1.9.2

PowerEdge C6520: before 1.9.2

PowerEdge R650: before 1.9.2

PowerEdge R750XA: before 1.9.2

PowerEdge R750: before 1.9.2

CPE2.3 External links

https://www.dell.com/support/kbdoc/nl-nl/000209268/dsa-2023-014-dell-poweredge-server-security-update-for-intel-february-2023-security-advisories-2023-1-ipu


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Input validation error

EUVDB-ID: #VU72452

Risk: Low

CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-26837

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to insufficient validation of user-supplied input in the BIOS firmware. A local user can execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerEdge R340: before 2.12.2

PowerEdge R240: before 2.12.2

PowerEdge T340: before 2.12.2

PowerEdge T140: before 2.12.2

PowerEdge XE7440: before 2.17.1

PowerEdge XE7420: before 2.17.1

PowerEdge XE2420: before 2.17.1

PowerEdge DSS8440: before 2.17.1

PowerEdge C4140: before 2.17.1

PowerEdge MX840C: before 2.17.1

PowerEdge MX740C: before 2.17.1

PowerEdge M640P: before 2.17.1

PowerEdge M640: before 2.17.1

PowerEdge FC640: before 2.17.1

PowerEdge C6420: before 2.17.1

PowerEdge T640: before 2.17.1

PowerEdge R940XA: before 2.17.1

PowerEdge R840: before 2.17.1

PowerEdge R740XD2: before 2.17.1

PowerEdge XR2: before 2.17.1

PowerEdge T440: before 2.17.1

PowerEdge R440: before 2.17.1

PowerEdge R540: before 2.17.1

PowerEdge R940: before 2.17.1

PowerEdge R640: before 2.17.1

PowerEdge R740XD: before 2.17.1

PowerEdge R740: before 2.17.1

PowerEdge T150: before 1.5.0

PowerEdge R250: before 1.5.0

PowerEdge T350: before 1.5.0

PowerEdge R350: before 1.5.0

PowerEdge XR12: before 1.9.2

PowerEdge XR11: before 1.9.2

PowerEdge R750XS: before 1.9.2

PowerEdge R650XS: before 1.9.2

PowerEdge R450: before 1.9.2

PowerEdge T550: before 1.9.2

PowerEdge R550: before 1.9.2

PowerEdge MX750c: before 1.9.2

PowerEdge C6520: before 1.9.2

PowerEdge R650: before 1.9.2

PowerEdge R750XA: before 1.9.2

PowerEdge R750: before 1.9.2

CPE2.3 External links

https://www.dell.com/support/kbdoc/nl-nl/000209268/dsa-2023-014-dell-poweredge-server-security-update-for-intel-february-2023-security-advisories-2023-1-ipu


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Improper access control

EUVDB-ID: #VU72449

Risk: Low

CVSSv4.0: 5.6 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-26343

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper access restrictions in the BIOS firmware. A local privileged user can execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerEdge R340: before 2.12.2

PowerEdge R240: before 2.12.2

PowerEdge T340: before 2.12.2

PowerEdge T140: before 2.12.2

PowerEdge XE7440: before 2.17.1

PowerEdge XE7420: before 2.17.1

PowerEdge XE2420: before 2.17.1

PowerEdge DSS8440: before 2.17.1

PowerEdge C4140: before 2.17.1

PowerEdge MX840C: before 2.17.1

PowerEdge MX740C: before 2.17.1

PowerEdge M640P: before 2.17.1

PowerEdge M640: before 2.17.1

PowerEdge FC640: before 2.17.1

PowerEdge C6420: before 2.17.1

PowerEdge T640: before 2.17.1

PowerEdge R940XA: before 2.17.1

PowerEdge R840: before 2.17.1

PowerEdge R740XD2: before 2.17.1

PowerEdge XR2: before 2.17.1

PowerEdge T440: before 2.17.1

PowerEdge R440: before 2.17.1

PowerEdge R540: before 2.17.1

PowerEdge R940: before 2.17.1

PowerEdge R640: before 2.17.1

PowerEdge R740XD: before 2.17.1

PowerEdge R740: before 2.17.1

PowerEdge T150: before 1.5.0

PowerEdge R250: before 1.5.0

PowerEdge T350: before 1.5.0

PowerEdge R350: before 1.5.0

PowerEdge XR12: before 1.9.2

PowerEdge XR11: before 1.9.2

PowerEdge R750XS: before 1.9.2

PowerEdge R650XS: before 1.9.2

PowerEdge R450: before 1.9.2

PowerEdge T550: before 1.9.2

PowerEdge R550: before 1.9.2

PowerEdge MX750c: before 1.9.2

PowerEdge C6520: before 1.9.2

PowerEdge R650: before 1.9.2

PowerEdge R750XA: before 1.9.2

PowerEdge R750: before 1.9.2

CPE2.3 External links

https://www.dell.com/support/kbdoc/nl-nl/000209268/dsa-2023-014-dell-poweredge-server-security-update-for-intel-february-2023-security-advisories-2023-1-ipu


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Improper access control

EUVDB-ID: #VU72455

Risk: Low

CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-0187

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper access restrictions in the BIOS firmware. A local user can execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerEdge R340: before 2.12.2

PowerEdge R240: before 2.12.2

PowerEdge T340: before 2.12.2

PowerEdge T140: before 2.12.2

PowerEdge XE7440: before 2.17.1

PowerEdge XE7420: before 2.17.1

PowerEdge XE2420: before 2.17.1

PowerEdge DSS8440: before 2.17.1

PowerEdge C4140: before 2.17.1

PowerEdge MX840C: before 2.17.1

PowerEdge MX740C: before 2.17.1

PowerEdge M640P: before 2.17.1

PowerEdge M640: before 2.17.1

PowerEdge FC640: before 2.17.1

PowerEdge C6420: before 2.17.1

PowerEdge T640: before 2.17.1

PowerEdge R940XA: before 2.17.1

PowerEdge R840: before 2.17.1

PowerEdge R740XD2: before 2.17.1

PowerEdge XR2: before 2.17.1

PowerEdge T440: before 2.17.1

PowerEdge R440: before 2.17.1

PowerEdge R540: before 2.17.1

PowerEdge R940: before 2.17.1

PowerEdge R640: before 2.17.1

PowerEdge R740XD: before 2.17.1

PowerEdge R740: before 2.17.1

PowerEdge T150: before 1.5.0

PowerEdge R250: before 1.5.0

PowerEdge T350: before 1.5.0

PowerEdge R350: before 1.5.0

PowerEdge XR12: before 1.9.2

PowerEdge XR11: before 1.9.2

PowerEdge R750XS: before 1.9.2

PowerEdge R650XS: before 1.9.2

PowerEdge R450: before 1.9.2

PowerEdge T550: before 1.9.2

PowerEdge R550: before 1.9.2

PowerEdge MX750c: before 1.9.2

PowerEdge C6520: before 1.9.2

PowerEdge R650: before 1.9.2

PowerEdge R750XA: before 1.9.2

PowerEdge R750: before 1.9.2

CPE2.3 External links

https://www.dell.com/support/kbdoc/nl-nl/000209268/dsa-2023-014-dell-poweredge-server-security-update-for-intel-february-2023-security-advisories-2023-1-ipu


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Use-after-free

EUVDB-ID: #VU72450

Risk: Low

CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-30539

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error in the BIOS firmware. A local user can execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerEdge R340: before 2.12.2

PowerEdge R240: before 2.12.2

PowerEdge T340: before 2.12.2

PowerEdge T140: before 2.12.2

PowerEdge XE7440: before 2.17.1

PowerEdge XE7420: before 2.17.1

PowerEdge XE2420: before 2.17.1

PowerEdge DSS8440: before 2.17.1

PowerEdge C4140: before 2.17.1

PowerEdge MX840C: before 2.17.1

PowerEdge MX740C: before 2.17.1

PowerEdge M640P: before 2.17.1

PowerEdge M640: before 2.17.1

PowerEdge FC640: before 2.17.1

PowerEdge C6420: before 2.17.1

PowerEdge T640: before 2.17.1

PowerEdge R940XA: before 2.17.1

PowerEdge R840: before 2.17.1

PowerEdge R740XD2: before 2.17.1

PowerEdge XR2: before 2.17.1

PowerEdge T440: before 2.17.1

PowerEdge R440: before 2.17.1

PowerEdge R540: before 2.17.1

PowerEdge R940: before 2.17.1

PowerEdge R640: before 2.17.1

PowerEdge R740XD: before 2.17.1

PowerEdge R740: before 2.17.1

PowerEdge T150: before 1.5.0

PowerEdge R250: before 1.5.0

PowerEdge T350: before 1.5.0

PowerEdge R350: before 1.5.0

PowerEdge XR12: before 1.9.2

PowerEdge XR11: before 1.9.2

PowerEdge R750XS: before 1.9.2

PowerEdge R650XS: before 1.9.2

PowerEdge R450: before 1.9.2

PowerEdge T550: before 1.9.2

PowerEdge R550: before 1.9.2

PowerEdge MX750c: before 1.9.2

PowerEdge C6520: before 1.9.2

PowerEdge R650: before 1.9.2

PowerEdge R750XA: before 1.9.2

PowerEdge R750: before 1.9.2

CPE2.3 External links

https://www.dell.com/support/kbdoc/nl-nl/000209268/dsa-2023-014-dell-poweredge-server-security-update-for-intel-february-2023-security-advisories-2023-1-ipu


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Exposed dangerous method or function

EUVDB-ID: #VU72464

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-36348

CWE-ID: CWE-749 - Exposed Dangerous Method or Function

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to usage of active debug code. A local user can execute arbitrary code with elevated privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerEdge R340: before 2.12.2

PowerEdge R240: before 2.12.2

PowerEdge T340: before 2.12.2

PowerEdge T140: before 2.12.2

PowerEdge XE7440: before 2.17.1

PowerEdge XE7420: before 2.17.1

PowerEdge XE2420: before 2.17.1

PowerEdge DSS8440: before 2.17.1

PowerEdge C4140: before 2.17.1

PowerEdge MX840C: before 2.17.1

PowerEdge MX740C: before 2.17.1

PowerEdge M640P: before 2.17.1

PowerEdge M640: before 2.17.1

PowerEdge FC640: before 2.17.1

PowerEdge C6420: before 2.17.1

PowerEdge T640: before 2.17.1

PowerEdge R940XA: before 2.17.1

PowerEdge R840: before 2.17.1

PowerEdge R740XD2: before 2.17.1

PowerEdge XR2: before 2.17.1

PowerEdge T440: before 2.17.1

PowerEdge R440: before 2.17.1

PowerEdge R540: before 2.17.1

PowerEdge R940: before 2.17.1

PowerEdge R640: before 2.17.1

PowerEdge R740XD: before 2.17.1

PowerEdge R740: before 2.17.1

PowerEdge T150: before 1.5.0

PowerEdge R250: before 1.5.0

PowerEdge T350: before 1.5.0

PowerEdge R350: before 1.5.0

PowerEdge XR12: before 1.9.2

PowerEdge XR11: before 1.9.2

PowerEdge R750XS: before 1.9.2

PowerEdge R650XS: before 1.9.2

PowerEdge R450: before 1.9.2

PowerEdge T550: before 1.9.2

PowerEdge R550: before 1.9.2

PowerEdge MX750c: before 1.9.2

PowerEdge C6520: before 1.9.2

PowerEdge R650: before 1.9.2

PowerEdge R750XA: before 1.9.2

PowerEdge R750: before 1.9.2

CPE2.3 External links

https://www.dell.com/support/kbdoc/nl-nl/000209268/dsa-2023-014-dell-poweredge-server-security-update-for-intel-february-2023-security-advisories-2023-1-ipu


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Improper handling of exceptional conditions

EUVDB-ID: #VU72465

Risk: Low

CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-36794

CWE-ID: CWE-755 - Improper Handling of Exceptional Conditions

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper handling of errors. A local user can perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerEdge R340: before 2.12.2

PowerEdge R240: before 2.12.2

PowerEdge T340: before 2.12.2

PowerEdge T140: before 2.12.2

PowerEdge XE7440: before 2.17.1

PowerEdge XE7420: before 2.17.1

PowerEdge XE2420: before 2.17.1

PowerEdge DSS8440: before 2.17.1

PowerEdge C4140: before 2.17.1

PowerEdge MX840C: before 2.17.1

PowerEdge MX740C: before 2.17.1

PowerEdge M640P: before 2.17.1

PowerEdge M640: before 2.17.1

PowerEdge FC640: before 2.17.1

PowerEdge C6420: before 2.17.1

PowerEdge T640: before 2.17.1

PowerEdge R940XA: before 2.17.1

PowerEdge R840: before 2.17.1

PowerEdge R740XD2: before 2.17.1

PowerEdge XR2: before 2.17.1

PowerEdge T440: before 2.17.1

PowerEdge R440: before 2.17.1

PowerEdge R540: before 2.17.1

PowerEdge R940: before 2.17.1

PowerEdge R640: before 2.17.1

PowerEdge R740XD: before 2.17.1

PowerEdge R740: before 2.17.1

PowerEdge T150: before 1.5.0

PowerEdge R250: before 1.5.0

PowerEdge T350: before 1.5.0

PowerEdge R350: before 1.5.0

PowerEdge XR12: before 1.9.2

PowerEdge XR11: before 1.9.2

PowerEdge R750XS: before 1.9.2

PowerEdge R650XS: before 1.9.2

PowerEdge R450: before 1.9.2

PowerEdge T550: before 1.9.2

PowerEdge R550: before 1.9.2

PowerEdge MX750c: before 1.9.2

PowerEdge C6520: before 1.9.2

PowerEdge R650: before 1.9.2

PowerEdge R750XA: before 1.9.2

PowerEdge R750: before 1.9.2

CPE2.3 External links

https://www.dell.com/support/kbdoc/nl-nl/000209268/dsa-2023-014-dell-poweredge-server-security-update-for-intel-february-2023-security-advisories-2023-1-ipu


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Incorrect calculation

EUVDB-ID: #VU72477

Risk: Low

CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-33972

CWE-ID: CWE-682 - Incorrect Calculation

Exploit availability: No

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to incorrect calculation in microcode keying mechanism. A local user can gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerEdge R340: before 2.12.2

PowerEdge R240: before 2.12.2

PowerEdge T340: before 2.12.2

PowerEdge T140: before 2.12.2

PowerEdge XE7440: before 2.17.1

PowerEdge XE7420: before 2.17.1

PowerEdge XE2420: before 2.17.1

PowerEdge DSS8440: before 2.17.1

PowerEdge C4140: before 2.17.1

PowerEdge MX840C: before 2.17.1

PowerEdge MX740C: before 2.17.1

PowerEdge M640P: before 2.17.1

PowerEdge M640: before 2.17.1

PowerEdge FC640: before 2.17.1

PowerEdge C6420: before 2.17.1

PowerEdge T640: before 2.17.1

PowerEdge R940XA: before 2.17.1

PowerEdge R840: before 2.17.1

PowerEdge R740XD2: before 2.17.1

PowerEdge XR2: before 2.17.1

PowerEdge T440: before 2.17.1

PowerEdge R440: before 2.17.1

PowerEdge R540: before 2.17.1

PowerEdge R940: before 2.17.1

PowerEdge R640: before 2.17.1

PowerEdge R740XD: before 2.17.1

PowerEdge R740: before 2.17.1

PowerEdge T150: before 1.5.0

PowerEdge R250: before 1.5.0

PowerEdge T350: before 1.5.0

PowerEdge R350: before 1.5.0

PowerEdge XR12: before 1.9.2

PowerEdge XR11: before 1.9.2

PowerEdge R750XS: before 1.9.2

PowerEdge R650XS: before 1.9.2

PowerEdge R450: before 1.9.2

PowerEdge T550: before 1.9.2

PowerEdge R550: before 1.9.2

PowerEdge MX750c: before 1.9.2

PowerEdge C6520: before 1.9.2

PowerEdge R650: before 1.9.2

PowerEdge R750XA: before 1.9.2

PowerEdge R750: before 1.9.2

CPE2.3 External links

https://www.dell.com/support/kbdoc/nl-nl/000209268/dsa-2023-014-dell-poweredge-server-security-update-for-intel-february-2023-security-advisories-2023-1-ipu


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Incorrect default permissions

EUVDB-ID: #VU72456

Risk: Low

CVSSv4.0: 3.7 [CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-33196

CWE-ID: CWE-276 - Incorrect Default Permissions

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to incorrect default permissions for memory controller configurations for some Intel Xeon processors when using Intel Software Guard Extensions. A local user escalate privileges on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerEdge R340: before 2.12.2

PowerEdge R240: before 2.12.2

PowerEdge T340: before 2.12.2

PowerEdge T140: before 2.12.2

PowerEdge XE7440: before 2.17.1

PowerEdge XE7420: before 2.17.1

PowerEdge XE2420: before 2.17.1

PowerEdge DSS8440: before 2.17.1

PowerEdge C4140: before 2.17.1

PowerEdge MX840C: before 2.17.1

PowerEdge MX740C: before 2.17.1

PowerEdge M640P: before 2.17.1

PowerEdge M640: before 2.17.1

PowerEdge FC640: before 2.17.1

PowerEdge C6420: before 2.17.1

PowerEdge T640: before 2.17.1

PowerEdge R940XA: before 2.17.1

PowerEdge R840: before 2.17.1

PowerEdge R740XD2: before 2.17.1

PowerEdge XR2: before 2.17.1

PowerEdge T440: before 2.17.1

PowerEdge R440: before 2.17.1

PowerEdge R540: before 2.17.1

PowerEdge R940: before 2.17.1

PowerEdge R640: before 2.17.1

PowerEdge R740XD: before 2.17.1

PowerEdge R740: before 2.17.1

PowerEdge T150: before 1.5.0

PowerEdge R250: before 1.5.0

PowerEdge T350: before 1.5.0

PowerEdge R350: before 1.5.0

PowerEdge XR12: before 1.9.2

PowerEdge XR11: before 1.9.2

PowerEdge R750XS: before 1.9.2

PowerEdge R650XS: before 1.9.2

PowerEdge R450: before 1.9.2

PowerEdge T550: before 1.9.2

PowerEdge R550: before 1.9.2

PowerEdge MX750c: before 1.9.2

PowerEdge C6520: before 1.9.2

PowerEdge R650: before 1.9.2

PowerEdge R750XA: before 1.9.2

PowerEdge R750: before 1.9.2

CPE2.3 External links

https://www.dell.com/support/kbdoc/nl-nl/000209268/dsa-2023-014-dell-poweredge-server-security-update-for-intel-february-2023-security-advisories-2023-1-ipu


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Improper isolation or compartmentalization

EUVDB-ID: #VU72457

Risk: Low

CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-38090

CWE-ID: CWE-653 - Improper isolation or compartmentalization

Exploit availability: No

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to improper isolation of shared resources in some Intel processors when using Intel Software Guard Extensions. A local user can gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

PowerEdge R340: before 2.12.2

PowerEdge R240: before 2.12.2

PowerEdge T340: before 2.12.2

PowerEdge T140: before 2.12.2

PowerEdge XE7440: before 2.17.1

PowerEdge XE7420: before 2.17.1

PowerEdge XE2420: before 2.17.1

PowerEdge DSS8440: before 2.17.1

PowerEdge C4140: before 2.17.1

PowerEdge MX840C: before 2.17.1

PowerEdge MX740C: before 2.17.1

PowerEdge M640P: before 2.17.1

PowerEdge M640: before 2.17.1

PowerEdge FC640: before 2.17.1

PowerEdge C6420: before 2.17.1

PowerEdge T640: before 2.17.1

PowerEdge R940XA: before 2.17.1

PowerEdge R840: before 2.17.1

PowerEdge R740XD2: before 2.17.1

PowerEdge XR2: before 2.17.1

PowerEdge T440: before 2.17.1

PowerEdge R440: before 2.17.1

PowerEdge R540: before 2.17.1

PowerEdge R940: before 2.17.1

PowerEdge R640: before 2.17.1

PowerEdge R740XD: before 2.17.1

PowerEdge R740: before 2.17.1

PowerEdge T150: before 1.5.0

PowerEdge R250: before 1.5.0

PowerEdge T350: before 1.5.0

PowerEdge R350: before 1.5.0

PowerEdge XR12: before 1.9.2

PowerEdge XR11: before 1.9.2

PowerEdge R750XS: before 1.9.2

PowerEdge R650XS: before 1.9.2

PowerEdge R450: before 1.9.2

PowerEdge T550: before 1.9.2

PowerEdge R550: before 1.9.2

PowerEdge MX750c: before 1.9.2

PowerEdge C6520: before 1.9.2

PowerEdge R650: before 1.9.2

PowerEdge R750XA: before 1.9.2

PowerEdge R750: before 1.9.2

CPE2.3 External links

https://www.dell.com/support/kbdoc/nl-nl/000209268/dsa-2023-014-dell-poweredge-server-security-update-for-intel-february-2023-security-advisories-2023-1-ipu


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###