Intel Security CenterINTEL:INTEL-SA-00908Intel® NUC Software Advisory
Summary:
Summary:
Potential security vulnerabilities in some Intel® NUC Software may allow escalation of privilege, denial of service, and information disclosure. Intel is releasing software updates to mitigate these potential vulnerabilities.
Vulnerability Details:
CVEID: CVE-2023-28737
Description: Improper initialization in some Intel® Aptio* V UEFI Firmware Integrator Tools may allow an authenticated user to potentially enable escalation of privilege via local access.
CVSS Base Score: 8.8 High
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVEID: CVE-2022-36396
Description: Improper access control in some Intel® Aptio* V UEFI Firmware Integrator Tools before version iDmiEdit-Linux-5.27.06.0017 may allow a privileged user to potentially enable escalation of privilege via local access.
CVSS Base Score: 8.2 High
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVEID: CVE-2023-28397
Description: Improper access control in some Intel® Aptio* V UEFI Firmware Integrator Tools may allow an authenticated to potentially enable escalation of privileges via local access.
CVSS Base Score: 7.8 High
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVEID: CVE-2022-36374
Description: Improper access control in some Intel® Aptio* V UEFI Firmware Integrator Tools before version iDmi Windows 5.27.03.0003 may allow a privileged user to potentially enable escalation of privilege via local access.
CVSS Base Score: 7.5 High
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CVEID: CVE-2023-32661
Description: Improper authentication in some Intel® NUC Kits NUC7PJYH and NUC7CJYH Realtek* SD Card Reader Driver installation software before version 10.0.19041.29098 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVSS Base Score: 6.7 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVEID: CVE-2022-33898
Description: Insecure inherited permissions in some Intel® NUC Watchdog Timer installation software before version 2.0.21.0 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVSS Base Score: 6.7 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVEID: CVE-2022-27229
Description: Path transversal in some Intel® NUC Kits NUC7i3DN, NUC7i5DN, NUC7i7DN HDMI firmware update tool software before version 1.79.1.1 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVSS Base Score: 6.7 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVEID: CVE-2022-41700
Description: Insecure inherited permissions in some Intel® NUC Pro Software Suite installation software before version 2.0.0.9 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVSS Base Score: 6.7 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVEID: CVE-2023-32658
Description: Unquoted search path in some Intel® NUC Kits NUC7i3DN, NUC7i5DN, NUC7i7DN HDMI firmware update tool software before version 1.79.1.1 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVSS Base Score: 6.7 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVEID: CVE-2023-33874
Description: Uncontrolled search path in some Intel® NUC 12 Pro Kits & Mini PCs - NUC12WS Intel® HID Event Filter Driver installation software before version 2.2.2.1 for Windows may allow an authenticated user to potentially enable escalation of privilege via local access.
CVSS Base Score: 6.7 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVEID: CVE-2023-32660
Description: Uncontrolled search path in some Intel® NUC Kit NUC6i7KYK Thunderbolt™ 3 Firmware Update Tool installation software before version 46 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVSS Base Score: 6.7 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVEID: CVE-2022-36377
Description: Insecure inherited permissions in some Intel® Wireless Adapter Driver installation software for Intel® NUC Kits & Mini PCs before version 22.190.0.3 for Windows may allow an authenticated user to potentially enable escalation of privilege via local access.
CVSS Base Score: 6.7 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVEID: CVE-2023-33878
Description: Path transversal in some Intel® NUC P14E Laptop Element Audio Install Package software before version 156 for Windows may allow an authenticated user to potentially enable escalation of privilege via local access.
CVSS Base Score: 6.7 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVEID: CVE-2023-28377
Description: Improper authentication in some Intel® NUC Kit NUC11PH USB firmware installation software before version 1.1 for Windows may allow an authenticated user to potentially enable escalation of privilege via local access.
CVSS Base Score: 6.7 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVEID: CVE-2023-32278
Description: Path transversal in some Intel® NUC Uniwill Service Driver for Intel® NUC M15 Laptop Kits - LAPRC510 & LAPRC710 Uniwill Service Driver installation software before version 1.0.1.7 for Intel® NUC Software Studio may allow an authenticated user to potentially enable escalation of privilege via local access.
CVSS Base Score: 6.7 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVEID: CVE-2023-32655
Description: Path transversal in some Intel® NUC Kits & Mini PCs - NUC8i7HVK & NUC8HNK USB Type C power delivery controller installatio software before version 1.0.10.3 for Windows may allow an authenticated user to potentially enable escalation of privilege via local access.
CVSS Base Score: 6.7 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVEID: CVE-2023-22310
Description: Race condition in some Intel® Aptio* V UEFI Firmware Integrator Tools may allow an authenticated user to potentially enable denial of service via local access.
CVSS Base Score: 6.5 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
CVEID: CVE-2023-26589
Description: Use after free in some Intel® Aptio* V UEFI Firmware Integrator Tools may allowed an authenticated user to potentially enable denial of service via local access.
CVSS Base Score: 6.5 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
CVEID: CVE-2023-22305
Description: Integer overflow in some Intel® Aptio* V UEFI Firmware Integrator Tools may allow an authenticated user to potentially enable denial of service via local access.
CVSS Base Score: 6.5 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
CVEID: CVE-2023-25949
Description: Uncontrolled resource consumption in some Intel® Aptio* V UEFI Firmware Integrator Tools may allow an authenticated user to potentially enable denial of service via local access.
CVSS Base Score: 5.5 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVEID: CVE-2023-28723
Description: Exposure of sensitive information to an unauthorized actor in some Intel® Aptio* V UEFI Firmware Integrator Tools may allow an authenticated user to potentially enable information disclosure via local access.
CVSS Base Score: 3.3 Low
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Affected Products:
Intel® NUC Kit NUC6i7KYK Thunderbolt™3 Firmware Update Tool software installer before version 46.
Intel® NUC Kits NUC7i3DN, NUC7i5DN, NUC7i7DN HDMI firmware update tool before version 1.79.1.1.
Intel® NUC Kits NUC7PJYH and NUC7CJYH Realtek* SD Card Reader Driver software installer before version 10.0.19041.29098.
Intel® NUC Kits & Mini PCs - NUC8i7HVK & NUC8HNK USB Type C power delivery controller software installer before version 1.0.10.3 for Windows.
Intel® NUC Kit NUC11PH USB firmware software installer before version 1.1 for Windows.
Intel® NUC 12 Pro Kits & Mini PCs - NUC12WS Intel® HID Event Filter Driver software installer before version 2.2.2.1 for Windows.
Intel® NUC P14E Laptop Element Audio Install Package before version 156 for Windows.
Intel® NUC M15 Laptop Kits - LAPRC510 & LAPRC710 Uniwill Service Driver software installer before version 1.0.1.7 for Intel® NUC Software Studio.
Intel® Wireless Adapter Driver software installer for Intel® NUC Kits & Mini PCs before version 22.190.0.3 for Windows.
Intel® Aptio* V UEFI Firmware Integrator Tools before versions iDmiEdit-Linux-5.27.06.0017 & iDmi-Windows-5.27.03.0003.
Intel® NUC Pro Software Suite software installer before version 2.0.0.9.
Intel® NUC Watchdog Timer software installer before version 2.0.21.0.
Recommendation:
Intel recommends updating NUC Software to the latest version (see provided table).
Product
|
CVE ID
|
Download location
—|—|—
Intel® Aptio* V UEFI Firmware Integrator Tools
|
CVE-2022-36396
CVE-2022-36374
CVE-2023-28737
CVE-2023-28397
CVE-2023-26589
CVE-2023-22305
CVE-2023-22310
CVE-2023-25949
CVE-2022-28723
|
Intel® NUC Kits NUC7i3DN, NUC7i5DN, NUC7i7DN HDMI firmware update tool
|
|
Intel® NUC Pro Software Suite software installer
|
|
Intel® NUC Watchdog Timer software installer
|
|
Intel® NUC Kits NUC7PJYH and NUC7CJYH Realtek* SD Card Reader Driver software installer
|
|
Intel® NUC 12 Pro Kits & Mini PCs - NUC12WS Intel® HID Event Filter Driver software installer for Windows
|
|
Intel® NUC Kit NUC6i7KYK Thunderbolt™3 Firmware Update Tool software installer
|
|
Intel® Wireless Adapter Driver software installer for Intel® NUC Kits & Mini PCs for Windows
|
|
Intel® NUC Kits & Mini PCs - NUC8i7HVK & NUC8HNK USB Type C power delivery controller software installer for Windows
|
|
Intel® NUC M15 Laptop Kits - LAPRC510 & LAPRC710 Uniwill Service Driver software installer for Intel® NUC Software Studio.
|
|
Intel® NUC Kit NUC11PH USB firmware software installer for Windows
|
|
Intel® NUC P14E Laptop Element Audio Install Package for Windows
|
|
Acknowledgements:
Intel would like to thank Marius Gabriel Mihai (CVE-2023-32278) (CVE-2023-32655) (CVE-2023-33878), Falcon Corruption@falconCorrp (CVE-2023-28377) (CVE-2023-32660) (CVE-2023-32661) (CVE-2023-33874), Aobo Wang of Chaitin Security Research Lab (CVE-2923-22305) (CVE-2023-22310) (CVE-2023-25949) (CVE-2023-26589) (CVE-2023-28397) (CVE-2023-28723) (CVE-2023-28737) (CVE-2022-33898), 7azimo Hazem Brini (CVE-2022-27229) and an external researcher (CVE-2022-36377) (CVE-2023-32658) for reporting these issues.
CVE-2022-36396 and CVE-2022-36374 were found internally by Intel employees. Intel would like to thank Yehonatan Lusky and Benny Zeltser.
Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.
Related
