Intel® Server Boards BMC Firmware Advisory

Summary:

Potential security vulnerabilities in some Intel® Server Board Baseboard Management Controller (BMC) firmware may allow escalation of privilege or information disclosure. Intel is releasing firmware updates to mitigate these potential vulnerabilities.****

Vulnerability Details:

CVEID: CVE-2022-40242 (Non-Intel issued)

Description: Insufficiently protected credentials in some Intel® Server Board BMC firmware’s before versions 1.11, v0027 and 4.15 may allow an unauthenticated user to potentially enable escalation of privilege via network access.

CVSS Base Score: 8.3 High

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H****

CVEID: CVE-2022-2827 (Non-Intel issued)

Description: Improper access control in some Intel® Server Board BMC firmware before versions 1.11, v0027 and 4.15 may allow an unauthenticated user to potentially enable information disclosure via network access.

CVSS Base Score: 7.5 High

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N****

Affected Products:

Intel® Server Board M10JNP2SB Family BMC Firmware before version 1.11.

Intel® Server Board M20NTP Family BMC Firmware before version v0027.

Intel® Server Board M70KLP2SB Family BMC Firmware before version 4.15.

Recommendations:

Intel recommends updating the firmware for the affected Intel® Server Boards to the latest version:

• Updates for Intel® Server Board M10JNP2SB Family BMC Firmware can be found here.
• Updates for Intel® Server Board M20NTP Family BMC Firmware can be found here.
• Updates for Intel® Server Board M70KLP2SB Family BMC Firmware can be found here.

Acknowledgements:

Intel would like to thank Vlad Babkin of Eclypsium Research for reporting these issues as part of VU#507384.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.