SB2023022190 - Multiple vulnerabilities in Dell PowerEdge Server firmware
Published: February 21, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 12 secuirty vulnerabilities.
1) Improper access control (CVE-ID: CVE-2022-21216)
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in out-of-band management in Intel processors. A remote privileged user on the local network can bypass implemented security restrictions and gain unauthorized access to the application.
2) Improper Initialization (CVE-ID: CVE-2022-32231)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper initialization in the BIOS firmware. A local user can run a specially crafted application to execute arbitrary code with escalated privileges on the system.
3) Improper Initialization (CVE-ID: CVE-2022-30704)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper initialization in the Intel(R) TXT SINIT ACM. A local user can run a specially crafted application to execute arbitrary code with escalated privileges on the system.
4) Input validation error (CVE-ID: CVE-2022-26837)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to insufficient validation of user-supplied input in the BIOS firmware. A local user can execute arbitrary code with elevated privileges.
5) Improper access control (CVE-ID: CVE-2022-26343)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper access restrictions in the BIOS firmware. A local privileged user can execute arbitrary code with elevated privileges.
6) Improper access control (CVE-ID: CVE-2021-0187)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper access restrictions in the BIOS firmware. A local user can execute arbitrary code with elevated privileges.
7) Use-after-free (CVE-ID: CVE-2022-30539)
The vulnerability local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error in the BIOS firmware. A local user can execute arbitrary code with elevated privileges.
8) Exposed dangerous method or function (CVE-ID: CVE-2022-36348)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to usage of active debug code. A local user can execute arbitrary code with elevated privileges.
9) Improper handling of exceptional conditions (CVE-ID: CVE-2022-36794)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper handling of errors. A local user can perform a denial of service (DoS) attack.
10) Incorrect calculation (CVE-ID: CVE-2022-33972)
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to incorrect calculation in microcode keying mechanism. A local user can gain access to sensitive information.
11) Incorrect default permissions (CVE-ID: CVE-2022-33196)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to incorrect default permissions for memory controller configurations for some Intel Xeon processors when using Intel Software Guard Extensions. A local user escalate privileges on the system.
12) Improper isolation or compartmentalization (CVE-ID: CVE-2022-38090)
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to improper isolation of shared resources in some Intel processors when using Intel Software Guard Extensions. A local user can gain access to sensitive information.
Remediation
Install update from vendor's website.