2023.2 IPU – BIOS Advisory

Summary:

Potential security vulnerabilities in BIOS firmware for some Intel® Processors may allow escalation of privilege and information disclosure. Intel is releasing firmware updates to mitigate these potential vulnerabilities.

Vulnerability Details:

CVEID: CVE-2022-33894

Description: Improper input validation in the BIOS firmware for some Intel® Processors may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.5 High

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2022-38087

Description: Exposure of resource to wrong sphere in BIOS firmware for some Intel® Processors may allow a privileged user to potentially enable information disclosure via local access.

CVSS Base Score: 4.1 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N

Affected Products:

CVE-2022-33894:

Product Collection

|

Vertical Segment

|

CPU ID

|

Platform ID

—|—|—|—

8th Generation Intel® Core™ Processor Family

9th Generation Intel® Core™ Processor Family

|

Mobile

Desktop

|

906EA

906EB

906EC

906ED

|

22

Intel® Xeon® Processor E Family

|

Server, Workstation

|

906EA

906ED

|

22

8th Generation Intel® Core™ Processor Family

|

Mobile

|

806EA

|

C0

8th Generation Intel® Core™ Processors

|

Mobile, Embedded

|

806EC

806EB

|

D0

94

7th Generation Intel® Core™ Processor Family

|

Desktop

|

906E9

|

2A

7th Generation Intel® Core™ Processor Family

|

Mobile

|

806E9

806EA

|

C0

8th Generation Intel® Core™ Processor Family
10th Generation Intel® Core™ Processor Family

|

Mobile

|

806E9

806EC

|

10

94

10th Generation Intel® Core™ Processor Family

|

Mobile

Desktop

|

A0652

A0653

A0655

A0660

A0661

806EC

|

20

01

22

80

80

07

CVE-2022-38087:

Product Collection

|

Vertical Segment

|

CPU ID

|

Platform ID

—|—|—|—

8th Generation Intel® Core™ Processor Family

10th Generation Intel® Core™ Processor Family

|

Mobile

|

806E9

806EC

|

10
94

8th Generation Intel® Core™ Processor Family

|

Mobile

|

806EA

|

C0

7th Generation Intel® Core™ Processor Family

|

Mobile

|

806E9

|

C0

8th Generation Intel® Core™ Processor Family

9th Generation Intel® Core™ Processor Family

|

Mobile
Desktop

|

906EA

906EB

906EC

906ED

|

22

Intel® Xeon® E Processor Family

|

Desktop,
Server,
Workstation

|

906EA

906ED

|

22

Intel® Xeon® E processor Family
7th Generation Intel® Core™ Processor Family

|

Server
Desktop

|

906E9

|

2A

Intel® Xeon® Scalable Processor Family

|

Server

|

50654

|

B7

8th Generation Intel® Core™ Processors

|

Mobile

|

806EB
806EC

|

D0
94

Intel® Xeon® Platinum P-8124, P-8136 processors,
Intel® Xeon® Scalable processor Family

|

Server

|

50653
50654

|

97
B7

Intel® Xeon® D Processor Family,
Intel® Xeon® W Processor Family

|

Server,
Desktop

|

50654

|

B7

Recommendations:

Intel recommends that users of listed Intel® Processors update to the latest versions provided by the system manufacturer that addresses these issues.

Acknowledgements:

Intel would like to thank Yngweijw (Jiawei Yin) (CVE-2022-33894) and the Binarly efiXplorer team (CVE-2022-38087) for reporting these issues.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.