2023.1 IPU - BIOS Advisory

Summary:

Potential security vulnerabilities in the BIOS firmware and Intel® Trusted Execution Technology (TXT) Secure Initialization (SINIT) Authenticated Code Modules (ACM) for some Intel® Processors may allow escalation of privilege. Intel is releasing BIOS updates to mitigate these potential vulnerabilities.

Vulnerability Details:

CVEID: CVE-2022-26343

Description: Improper access control in the BIOS firmware for some Intel® Processors may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 8.2 High

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H__

CVEID: CVE-2022-30539

Description: Use after free in the BIOS firmware for some Intel® Processors may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.5 High

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2022-32231

Description: Improper initialization in the BIOS firmware for some Intel® Processors may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.5 High

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2022-26837

Description: Improper input validation in the BIOS firmware for some Intel® Processors may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.5 High

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H__

CVEID: CVE-2022-30704

Description: Improper initialization in the Intel® TXT SINIT ACM for some Intel® Processors may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.2 High

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N__

CVEID: CVE-2021-0187

Description: Improper access control in the BIOS firmware for some Intel® Processors may allow a privileged user to potentially enable an escalation of privilege via local access.

CVSS Base Score: 3.2 Low

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N

---

Affected Products:

CVE-2022-26343

Product Collection

|

Vertical Segment

|

CPU ID

|

Platform ID

—|—|—|—

2nd Generation Intel® Xeon® Scalable Processors

|

Server,

Workstation

|

50656

50657

|

BF

Intel® Xeon® D processor family

|

Server

|

50654

|

B7

Intel® Xeon® Platinum P-8124, P-8136 processors

|

Server

|

50653

|

97

Intel® Xeon® Scalable processor family

|

Server

|

50654

|

B7

Intel® Xeon® D processor 1500 series

|

Server

|

50665

|

10

Intel® Xeon® D processor 1500 series

|

Server

|

50663

50664

|

10

10

CVE-2022-30539

Product Collection

|

Vertical Segment

|

CPU ID

|

Platform ID

—|—|—|—

3rd Generation Intel® Xeon ®Scalable Processor Family

|

Server

|

5065B

|

BF

CVE-2022-26837

Product Collection

|

Vertical Segment

|

CPU ID

|

Platform ID

—|—|—|—

3rd Gen Intel® Xeon® Scalable processor

|

Server

|

606A6

|

87

3rd Gen Intel® Xeon® Scalable processor

|

Server

|

5065B

|

TBD

Intel® Xeon® E processor family

|

Workstation

|

906EA

906ED

|

22

Intel® Xeon® E processor family

|

Server,

Workstation

|

906E9

|

2A

11th Gen Intel® Core™ processor

Intel® Xeon® W processor

|

Server, Workstation

|

A0671

|

02

CVE-2021-0187

Product Collection

|

Vertical Segment

|

CPU ID

|

Platform ID

—|—|—|—

3rd Gen Intel® Xeon® Scalable processor

|

Server

|

606A6

|

87

CVE-2022-32231

Product Collection

|

Vertical Segment

|

CPU ID

|

Platform ID

—|—|—|—

Intel® Xeon® Scalable Processor Family

|

Server

|

50654

|

B7

3rd Generation Intel® Xeon ®Scalable Processor Family

|

Server

|

5065B

|

BF

2nd Generation Intel® Xeon® Scalable Processors

|

Server

|

50657

|

BF

3rd Gen Intel® Xeon® Scalable processor

|

Server

|

606A6

|

87

Intel® Xeon® Scalable processor family

|

Server

|

50653

50654

|

97

B7

---

CVE-2022-30704

Product Collection

|

Vertical Segment

|

CPU ID

|

Platform ID

—|—|—|—

11th Generation Intel® Core Processor Family

|

Mobile

|

806D1

806C1

806C2

|

C2

80

12th Generation Intel® Core™ Processor Family

Intel® Pentium® Gold Processor Family

Intel® Celeron® Processor Family

|

Desktop

Mobile

|

90672

90675

906A3

906A4

|

01

11th Generation Intel® Core™ Processor Family

10th Generation Intel® Core™ Processor Family

Intel® Xeon® E-2300 processor family

Intel® Xeon® W processor family

|

Desktop

Server

Workstation

|

A0671

A0653

|

01

Recommendations:

Intel recommends that users of listed Intel® Processors update to the latest versions provided by the system manufacturer that addresses these issues.

Acknowledgements:

Intel would like to thank Dmitry Frolov (CVE-2022-26837), Yngweijw (Jiawei Yin) (CVE-2022-30539) for reporting these issues.

The following issues were found internally by Intel employees; CVE-2022-26343, CVE-2022-32231, CVE-2021-0187 and CVE-2022-30704.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.