Intel Security CenterINTEL:INTEL-SA-00917Intel® NUC BIOS Firmware Advisory
Summary:
Potential security vulnerabilities in some Intel® NUC BIOS firmware may allow escalation of privilege, information disclosure or denial of service. Intel is releasing firmware updates to mitigate these potential vulnerabilities.
Vulnerability Details:
CVEID: CVE-2023-32617
Description: Improper input validation in some Intel® NUC Rugged Kit, Intel® NUC Kit and Intel® Compute Element BIOS firmware may allow a privileged user to potentially enable escalation of privilege via local access.
CVSS Base Score: 8.2 High
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVEID: CVE-2023-34086
Description: Improper input validation in some Intel® NUC BIOS firmware may allow a privileged user to potentially enable escalation of privilege via local access.
CVSS Base Score: 8.2 High
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVEID: CVE-2023-22449
Description: Improper input validation in some Intel® NUC BIOS firmware may allow a privileged user to potentially enable escalation of privilege via local access.
CVSS Base Score: 7.5 High
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CVEID: CVE-2022-36372
Description: Improper buffer restrictions in some Intel® NUC BIOS firmware may allow a privileged user to potentially enable escalation of privilege via local access.
CVSS Base Score: 7.5 High
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CVEID: CVE-2023-34438
Description: Race condition in some Intel® NUC BIOS firmware may allow a privileged user to potentially enable escalation of privilege via local access.
CVSS Base Score: 7.5 High
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CVEID: CVE-2023-22444
Description: Improper initialization in some Intel® NUC 13 Extreme Compute Element, Intel® NUC 13 Extreme Kit, Intel® NUC 11 Performance Kit, Intel® NUC 11 Performance Mini PC, Intel® NUC Compute Element, Intel® NUC Laptop Kit, Intel® NUC Pro Kit, Intel® NUC Pro Board and Intel® NUC Pro Mini PC BIOS firmware may allow a privileged user to potentially enable information disclosure via local access.
CVSS Base Score: 6.0 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
CVEID: CVE-2023-22356
Description: Improper initialization in some Intel® NUC BIOS firmware may allow a privileged user to potentially enable information disclosure via local access.
CVSS Base Score: 6.0 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
CVEID: CVE-2023-22330
Description: Use of uninitialized resource in some Intel® NUC BIOS firmware may allow a privileged user to potentially enable information disclosure via local access.
CVSS Base Score: 6.0 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
CVEID: CVE-2023-32285
Description: Improper access control in some Intel® NUC BIOS firmware may allow a privileged user to potentially enable denial of service via local access.
CVSS Base Score: 6.0 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
CVEID: CVE-2023-34349
Description: Race condition in some Intel® NUC BIOS firmware may allow a privileged user to potentially enable escalation of privilege via local access.
CVSS Base Score: 4.6 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Affected Products:
| Product | Download Link | CVE ID |
|---|---|---|
| Intel® NUC 7 Enthusiast: NUC7i7BNKQ, NUC7i7BNHXG. | ||
| Intel® NUC Kit: NUC7i7DNHE, NUC7i7DNKE. | ||
| Intel® NUC Board: NUC7i7DNBE. | DNKBLi7v | CVE-2023-22356 |
| Intel® NUC 13 Extreme Compute Element: | ||
| NUC13SBBi5, NUC13SBBi5F, NUC13SBBi7, | ||
| NUC13SBBi7F, NUC13SBBi9, NUC13SBBi9F. |
Intel® NUC 13 Extreme Kit:
NUC13RNGi5, NUC13RNGi7, NUC13RNGi9. |
Intel® NUC Performance Kit and Mini PC:
NUC10i3FNH, NUC10i3FNHF, NUC10i3FNHFA,
NUC10i3FNHJA, NUC10i3FNHN, NUC10i3FNK,
NUC10i3FNKN.
NUC10i5FNH, NUC10i5FNHCA, NUC10i5FNHF,
NUC10i5FNHJA,NUC10i5FNHJ, NUC10i5FNHN,
NUC10i5FNK, NUC10i5FNKN, NUC10i5FNKPA,
NUC10i5FNKP.
NUC10i7FNH, NUC10i7FNHAA, NUC10i7FNHC,
NUC10i7FNHJA, NUC10i7FNHN, NUC10i7FNK,
NUC10i7FNKN, NUC10i7FNKP, NUC10i7FNKPA.
CVE-2023-34349
Intel® NUC 8 Compute Element:
CM8i3CB4N, CM8i5CB8N, CM8i7CB8N,
CM8CCB4R, CM8PCB4R. | CBWHL357 | CVE-2023-22356
CVE-2022-36372
Intel® NUC Pro Kit, Intel NUC Pro Board:
NUC8i3PNB, NUC8i3PNH, NUC8i3PNK. | PNWHL357 | CVE-2023-22356
Intel® NUC 11 Performance Kit, Intel NUC 11 Performance Mini PC:
NUC11PAHi3, NUC11PAHi30Z, NUC11PAKi3,
NUC11PAHi5, NUC11PAHi50Z, NUC11PAKi5,
NUC11PAQi50WA, NUC11PAHi7, NUC11PAHi70Z,
NUC11PAKi7, NUC11PAQi70QA.
CVE-2023-34349
Intel® NUC 11 Compute Element:
CM11EBi38W, CM11EBi58W, CM11EBi716W,
CM11EBC4W. | EBTGL357 | CVE-2023-22449
CVE-2023-34349
Intel® NUC 12 Compute Element:
ELM12HBi3, ELM12HBi5, ELM12HBi7,
ELM12HBC. | HBADL357 | CVE-2023-22449
CVE-2023-34349
Intel® NUC Extreme, Intel® NUC 12 Extreme Compute Element:
NUC12DCMi7, NUC12EDBi7, NUC12DCMi9,
NUC12EDBi9. | EDADL579 | CVE-2023-22449
CVE-2023-34349
Intel® NUC Laptop Kit: LAPRC510, LAPRC710. | RCADL357 | CVE-2023-22449
CVE-2023-34349
Intel® NUC Pro Board, Intel® NUC Pro Kit:
NUC12WSBi3, NUC12WSBi30Z, NUC12WSHi3,
NUC12WSHi30L, NUC12WSHi30Z, NUC12WSKi3,
NUC12WSKi30Z.
NUC12WSBi5, NUC12WSBi50Z, NUC12WSHi5,
NUC12WSHi50Z, NUC12WSKi5, NUC12WSKi50Z.
NUC12WSBi70Z, NUC12WSHi7, NUC12WSHi70Z,
NUC12WSKi7, NUC12WSKi70Z. | WSADL357 | CVE-2023-22449
CVE-2023-34349
Intel® NUC Laptop Kits: LAPAC71H, LAPAC71G. | ACADL357 | CVE-2023-22449
CVE-2023-34349
Intel® NUC Enthusiast: NUC12SNKi72, NUC12SNKi72VA. | SNADL357 | CVE-2023-22449
CVE-2023-34349
Intel® NUC Essential:
NUC11ATBC4, NUC11ATKC2, NUC11ATKC2,
NUC11ATKC4, NUC11ATKPE. | ATJSLCPX | CVE-2023-22449
CVE-2023-34349
Intel® NUC Laptop Kit: LAPBC510, LAPBC710. | BCTGL357 | CVE-2023-22449
CVE-2023-34349
Intel® NUC Laptop Kit: LAPKC51E, LAPKC71E, LAPKC71F. | KCTGL357 | CVE-2023-22449
CVE-2023-34349
Intel® NUC Extreme Compute Element:
NUC11BTMi7, NUC11DBBi7, NUC11BTMi9,
NUC11DBBi9. | DBTGL579 | CVE-2023-22449
CVE-2023-34349
Intel® NUC Boards:
NUC11TNBi3, NUC11TNBi30Z, NUC11TNHi3,
NUC11TNHi30L, NUC11TNHi30P, NUC11TNHi30Z,
NUC11TNKi3, NUC11TNKi30Z.
NUC11TNBi5, NUC11TNBi50Z, NUC11TNHi5,
NUC11TNHi50L, NUC11TNHi50W, NUC11TNHi50Z,
NUC11TNKi5, NUC11TNKi50Z.
NUC11TNBi7, NUC11TNBi70Z, NUC11TNHi7,
NUC11TNHi70L, NUC11TNHi70Q, NUC11TNHi70Z,
NUC11TNKi7, NUC11TNKi70Z. | TNTGL357 | CVE-2023-22449
CVE-2023-34349
Intel® NUC: NUC11PHKi7C, NUC11PHKi7CAA. | PHTGL579 | CVE-2023-22449
CVE-2023-34349
Intel® NUC Pro Compute Element:
NUC9V7QNB, NUC9V7QNX, NUC9VXQNB,
NUC9VXQNX. | QNCFLX70 |
Intel® NUC Rugged Kit:
NUC8CCHB, NUC8CCHBN, NUC8CCHKRN,
NUC8CCHKR. | CHAPLCEL | CVE-2023-22356
CVE-2023-32617
Intel® NUC Business, Intel® NUC Enthusiast, Intel® NUC Kit:
NUC8i7HNKQC, NUC8i7HVKVA, NUC8i7HVKVAW,
NUC8i7HVK, NUC8i7HNK. | HNKBKi70 | CVE-2023-22356
CVE-2022-36372
Intel® NUC Pro Kit, Intel® NUC Pro Board, Intel® NUC Pro Mini PC:
NUC11TNKv50Z, NUC11TNHv70L, NUC11TNHv50L,
NUC11TNKv5, NUC11TNKv7, NUC11TNHv5,
NUC11TNHv7, NUC11TNBv7, NUC11TNBv5,
NUC11TNKv5, NUC11TNKv7. | TNTGLV57 | CVE-2023-22356
Intel® NUC Kit: NUC6CAYH, NUC6CAYS.
Intel® NUC Mini PC, Intel® NUC Kit, Intel® NUC Enthusiast, Intel® NUC Board:
NUC7i3BNHXF, NUC7i3BNK, NUC7i3BNH,
NUC7i3BNB, NUC7i5BNHX1, NUC7i5BNH,
NUC7i5BNK,NUC7i5BNHXF, NUC7i5BNKP,
NUC7i5BNB, NUC7i7BNH, NUC7i7BNHX1,
NUC7i7BNHXG, NUC7i3BNHX1,NUC7i7BNKQ,
NUC7i7BNB.
Intel® Compute Element: STK2mv64CC.
| AYAPLCEL
Recommendations:
Intel recommends updating the affected Intel® NUC BIOS firmware to the latest version (see provided table above).
Acknowledgements:
The following issue was found internally by Intel employees. Intel would like to thank Page Wu, Kamal Lee, Jan Halvorsen, Poching Lee and Jack Hung (CVE-2023-32285).
The following issues were found by external researchers. Intel would like to thank Yngweijw (Jiawei Yin) (CVE-2023-34438, CVE-2023-32617, CVE-2023-34086), Another1024, Ccrack and Redapple (CVE-2023-34349) for reporting these issues.
The following issues were found separately by Intel employees and external researchers. Intel would like to thank the BINARLY efiXplorer team (CVE-2022-36372, CVE-2023-22449, CVE-2023-22356, CVE-2023-22444, CVE-2023-22330), Stan Chang (CVE-2023-22449) and Page Wu (CVE-2023-22444, CVE-2023-22330, CVE-2023-22356).
Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.
Related
