Intel Security CenterINTEL:INTEL-SA-006012022.1 IPU – BIOS Advisory
Summary:
Potential security vulnerabilities in the BIOS firmware or BIOS authenticated code module for some Intel® Processors may allow escalation of privilege or information disclosure. Intel is releasing BIOS updates to mitigate these potential vulnerabilities.
Vulnerability Details:
CVEID: CVE-2021-0154
Description: Improper input validation in the BIOS firmware for some Intel® Processors may allow a privileged user to potentially enable an escalation of privilege via local access.
CVSS Base Score: 8.2 High
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H****
CVEID: CVE-2021-0153
Description: Out-of-bounds write in the BIOS firmware for some Intel® Processors may allow a privileged user to potentially enable an escalation of privilege via local access.
CVSS Base Score: 8.2 High
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H****
CVEID: CVE-2021-33123
Description: Improper access control in the BIOS authenticated code module for some Intel® Processors may allow a privileged user to potentially enable an escalation of privilege via local access.
CVSS Base Score: 8.2 High
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H****
CVEID: CVE-2021-0190
Description: Uncaught exception in the BIOS firmware for some Intel® Processors may allow a privileged user to potentially enable an escalation of privilege via local access.
CVSS Base Score: 8.2 High
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVEID: CVE-2021-33122
Description: Insufficient control flow management in the BIOS firmware for some Intel® Processors may allow a privileged user to potentially enable an escalation of privilege via local access.
CVSS Base Score: 7.9 High
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H****
CVEID: CVE-2021-0189
Description: Use of out-of-range pointer offset in the BIOS firmware for some Intel® Processors may allow a privileged user to potentially enable an escalation of privilege via local access.
CVSS Base Score: 7.5 High
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H****
CVEID: CVE-2021-33124
Description: Out-of-bounds write in the BIOS authenticated code module for some Intel® Processors may allow a privileged user to potentially enable an escalation of privilege via local access.
CVSS Base Score: 7.5 High
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H****
CVEID: CVE-2021-33103
Description: Unintended intermediary in the BIOS authenticated code module for some Intel® Processors may allow a privileged user to potentially enable an escalation of privilege via local access.
CVSS Base Score: 7.5 High
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H****
CVEID: CVE-2021-0159
Description: Improper input validation in the BIOS authenticated code module for some Intel® Processors may allow a privileged user to potentially enable an escalation of privilege via local access.
CVSS Base Score: 7.4 High
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L****
CVEID: CVE-2021-0188
Description: Return of pointer value outside of expected range in the BIOS firmware for some Intel® Processors may allow a privileged user to potentially enable an escalation of privilege via local access.
CVSS Base Score: 5.3 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N****
CVEID: CVE-2021-0155
Description: Unchecked return value in the BIOS firmware for some Intel® Processors may allow a privileged user to potentially enable information disclosure via local access.
CVSS Base Score: 4.4 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N****
Affected Products:
Product Collection
|
Vertical Segment
|
CPU ID
|
Platform ID
|
CVE ID
—|—|—|—|—
2nd Generation Intel® Xeon® Scalable Processors
|
Server
|
50657
|
BF
|
CVE-2021-0159, CVE-2021-0189, CVE-2021-33123, CVE-2021-33124
Intel® Xeon® Processor D Family
|
Server
|
50654
|
B7
|
CVE-2021-33123, CVE-2021-33124
Rocket Lake Xeon
|
Server, Workstation
|
A0671
|
02
|
CVE-2021-33103, CVE-2021-33122, CVE-2021-33123, CVE-2021-33124
3rd Generation Intel® Xeon® Scalable Processor Family
|
Server
|
5065B
|
5065B
|
CVE-2021-0159,
CVE-2021-33123, CVE-2021-33124
Intel® Core™ Processors with Intel® Hybrid Technology
|
Mobile
|
806A1
|
10
|
CVE-2021-33122
10th Generation Intel® Core™ Processor Family
|
Mobile
|
706E5
|
80
Intel® Pentium® Silver N6000 Processor Family, Intel® Celeron® N4000 and N5000 Processor Families
|
Client
|
906C0
|
01
9th Generation Intel® Core Processor Family
|
Client
|
A0671
|
02
|
CVE-2021-33103, CVE-2021-33122, CVE-2021-33123, CVE-2021-33124
10th Generation Intel® Core™ Processors
|
Client
|
A0653
A0655
|
01
22
|
CVE-2021-33103, CVE-2021-33122, CVE-2021-33123, CVE-2021-33124
10th Generation Intel® Core™ Processors
|
Client
|
806EC
A0652
A0653
A0655
A0655
A0660
A0661
|
94
20
22
01
22
80
80
8th Generation Intel® Core™ Processors
|
Mobile
|
806EB 806EC
|
D0
94
|
CVE-2021-33123, CVE-2021-33124
8th Generation Intel® Core™ Processors
|
Mobile Desktop
|
906EA
906EB
906ED
|
02
22
7th Generation Intel® Core™ Processors
|
Client
|
806E9
806EA
906E9
806E9
806EC
|
C0
C0
2A
10
94
Intel® Core™ X-series Processors
|
Desktop
|
906E9
|
2A
|
CVE-2021-33123, CVE-2021-33124
Intel® Xeon® Processor W Family
|
Workstation
|
50654
|
B7
Intel® Xeon® Processor W Family
|
Workstation
|
50657
|
BF
Intel® Xeon® Processor E Family
|
Server
Workstation
|
906E, 906ED
|
22
|
CVE-2021-0154,
CVE-2021-0189,
CVE-2021-33123, CVE-2021-33124
Intel® Xeon® Processor E3 v6 Family
|
Server
Workstation
|
906E9
| 2A |
CVE-2021-0154,
CVE-2021-0188, CVE-2021-0189,
CVE-2021-33123, CVE-2021-33124
Intel® Xeon® Processor E3 v5 Family
|
Server
Workstation
|
506E3
|
36
Intel® Xeon® Processor E7 v4 Family
|
Workstation
|
406F1
|
EF
|
CVE-2021-0154,
CVE-2021-0155, CVE-2021-0189,
CVE-2021-33123, CVE-2021-33124
Intel® Xeon® Processor D Family
|
Server
|
50665
|
10
|
CVE-2021-0154,
CVE-2021-0155, CVE-2021-33123, CVE-2021-33124
Intel® Xeon® Processor D Family
|
Server
|
50662
|
10
Intel® Xeon® Processor E5 v4 Family
Intel® Core™ X-series Processors
|
Server
|
406F1
|
EF
|
CVE-2021-0153, CVE-2021-0154,
CVE-2021-0155, CVE-2021-0190,
CVE-2021-33123, CVE-2021-33124
11th Generation Intel® Core ProcessorFamily |
Client
|
806C1
|
80
|
CVE-2021-33103,
CVE-2021-33122
Recommendations:
Intel recommends that users of listed Intel® Processors update to the latest versions provided by the system manufacturer that addresses these issues.
Acknowledgements:
The following issues were found internally by Intel employees; CVE-2021-0153, CVE-2021-0154, CVE-2021-0155, CVE-2021-0159, CVE-2021-0188, CVE-2021-0189, CVE-2021-0190, CVE-2021-33103, and CVE-2021-33122. Intel would like to thank Jorge E. Gonzalez Diaz and Nicholas Armour.
Intel would like to thank Hugo Magalhaes from Oracle (CVE-2021-33123, CVE-2021-33124) for reporting these issues.
Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.
Related
