Potential security vulnerabilities in some Intel® NUC BIOS firmware may allow escalation of privilege, information disclosure or denial of service. Intel is releasing firmware updates to mitigate these potential vulnerabilities.
CVEID: CVE-2023-32617
Description: Improper input validation in some Intel® NUC Rugged Kit, Intel® NUC Kit and Intel® Compute Element BIOS firmware may allow a privileged user to potentially enable escalation of privilege via local access.
CVSS Base Score: 8.2 High
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVEID: CVE-2023-34086
Description: Improper input validation in some Intel® NUC BIOS firmware may allow a privileged user to potentially enable escalation of privilege via local access.
CVSS Base Score: 8.2 High
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVEID: CVE-2023-22449
Description: Improper input validation in some Intel® NUC BIOS firmware may allow a privileged user to potentially enable escalation of privilege via local access.
CVSS Base Score: 7.5 High
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CVEID: CVE-2022-36372
Description: Improper buffer restrictions in some Intel® NUC BIOS firmware may allow a privileged user to potentially enable escalation of privilege via local access.
CVSS Base Score: 7.5 High
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CVEID: CVE-2023-34438
Description: Race condition in some Intel® NUC BIOS firmware may allow a privileged user to potentially enable escalation of privilege via local access.
CVSS Base Score: 7.5 High
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CVEID: CVE-2023-22444
Description: Improper initialization in some Intel® NUC 13 Extreme Compute Element, Intel® NUC 13 Extreme Kit, Intel® NUC 11 Performance Kit, Intel® NUC 11 Performance Mini PC, Intel® NUC Compute Element, Intel® NUC Laptop Kit, Intel® NUC Pro Kit, Intel® NUC Pro Board and Intel® NUC Pro Mini PC BIOS firmware may allow a privileged user to potentially enable information disclosure via local access.
CVSS Base Score: 6.0 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
CVEID: CVE-2023-22356
Description: Improper initialization in some Intel® NUC BIOS firmware may allow a privileged user to potentially enable information disclosure via local access.
CVSS Base Score: 6.0 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
CVEID: CVE-2023-22330
Description: Use of uninitialized resource in some Intel® NUC BIOS firmware may allow a privileged user to potentially enable information disclosure via local access.
CVSS Base Score: 6.0 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
CVEID: CVE-2023-32285
Description: Improper access control in some Intel® NUC BIOS firmware may allow a privileged user to potentially enable denial of service via local access.
CVSS Base Score: 6.0 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
CVEID: CVE-2023-34349
Description: Race condition in some Intel® NUC BIOS firmware may allow a privileged user to potentially enable escalation of privilege via local access.
CVSS Base Score: 4.6 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Product | Download Link | CVE ID |
---|---|---|
Intel® NUC 7 Enthusiast: NUC7i7BNKQ, NUC7i7BNHXG. | ||
Intel® NUC Kit: NUC7i7DNHE, NUC7i7DNKE. | ||
Intel® NUC Board: NUC7i7DNBE. | DNKBLi7v | CVE-2023-22356 |
Intel® NUC 13 Extreme Compute Element: | ||
NUC13SBBi5, NUC13SBBi5F, NUC13SBBi7, | ||
NUC13SBBi7F, NUC13SBBi9, NUC13SBBi9F. |
Intel® NUC 13 Extreme Kit:
NUC13RNGi5, NUC13RNGi7, NUC13RNGi9. |
Intel® NUC Performance Kit and Mini PC:
NUC10i3FNH, NUC10i3FNHF, NUC10i3FNHFA,
NUC10i3FNHJA, NUC10i3FNHN, NUC10i3FNK,
NUC10i3FNKN.
NUC10i5FNH, NUC10i5FNHCA, NUC10i5FNHF,
NUC10i5FNHJA,NUC10i5FNHJ, NUC10i5FNHN,
NUC10i5FNK, NUC10i5FNKN, NUC10i5FNKPA,
NUC10i5FNKP.
NUC10i7FNH, NUC10i7FNHAA, NUC10i7FNHC,
NUC10i7FNHJA, NUC10i7FNHN, NUC10i7FNK,
NUC10i7FNKN, NUC10i7FNKP, NUC10i7FNKPA.
CVE-2023-34349
Intel® NUC 8 Compute Element:
CM8i3CB4N, CM8i5CB8N, CM8i7CB8N,
CM8CCB4R, CM8PCB4R. | CBWHL357 | CVE-2023-22356
CVE-2022-36372
Intel® NUC Pro Kit, Intel NUC Pro Board:
NUC8i3PNB, NUC8i3PNH, NUC8i3PNK. | PNWHL357 | CVE-2023-22356
Intel® NUC 11 Performance Kit, Intel NUC 11 Performance Mini PC:
NUC11PAHi3, NUC11PAHi30Z, NUC11PAKi3,
NUC11PAHi5, NUC11PAHi50Z, NUC11PAKi5,
NUC11PAQi50WA, NUC11PAHi7, NUC11PAHi70Z,
NUC11PAKi7, NUC11PAQi70QA.
CVE-2023-34349
Intel® NUC 11 Compute Element:
CM11EBi38W, CM11EBi58W, CM11EBi716W,
CM11EBC4W. | EBTGL357 | CVE-2023-22449
CVE-2023-34349
Intel® NUC 12 Compute Element:
ELM12HBi3, ELM12HBi5, ELM12HBi7,
ELM12HBC. | HBADL357 | CVE-2023-22449
CVE-2023-34349
Intel® NUC Extreme, Intel® NUC 12 Extreme Compute Element:
NUC12DCMi7, NUC12EDBi7, NUC12DCMi9,
NUC12EDBi9. | EDADL579 | CVE-2023-22449
CVE-2023-34349
Intel® NUC Laptop Kit: LAPRC510, LAPRC710. | RCADL357 | CVE-2023-22449
CVE-2023-34349
Intel® NUC Pro Board, Intel® NUC Pro Kit:
NUC12WSBi3, NUC12WSBi30Z, NUC12WSHi3,
NUC12WSHi30L, NUC12WSHi30Z, NUC12WSKi3,
NUC12WSKi30Z.
NUC12WSBi5, NUC12WSBi50Z, NUC12WSHi5,
NUC12WSHi50Z, NUC12WSKi5, NUC12WSKi50Z.
NUC12WSBi70Z, NUC12WSHi7, NUC12WSHi70Z,
NUC12WSKi7, NUC12WSKi70Z. | WSADL357 | CVE-2023-22449
CVE-2023-34349
Intel® NUC Laptop Kits: LAPAC71H, LAPAC71G. | ACADL357 | CVE-2023-22449
CVE-2023-34349
Intel® NUC Enthusiast: NUC12SNKi72, NUC12SNKi72VA. | SNADL357 | CVE-2023-22449
CVE-2023-34349
Intel® NUC Essential:
NUC11ATBC4, NUC11ATKC2, NUC11ATKC2,
NUC11ATKC4, NUC11ATKPE. | ATJSLCPX | CVE-2023-22449
CVE-2023-34349
Intel® NUC Laptop Kit: LAPBC510, LAPBC710. | BCTGL357 | CVE-2023-22449
CVE-2023-34349
Intel® NUC Laptop Kit: LAPKC51E, LAPKC71E, LAPKC71F. | KCTGL357 | CVE-2023-22449
CVE-2023-34349
Intel® NUC Extreme Compute Element:
NUC11BTMi7, NUC11DBBi7, NUC11BTMi9,
NUC11DBBi9. | DBTGL579 | CVE-2023-22449
CVE-2023-34349
Intel® NUC Boards:
NUC11TNBi3, NUC11TNBi30Z, NUC11TNHi3,
NUC11TNHi30L, NUC11TNHi30P, NUC11TNHi30Z,
NUC11TNKi3, NUC11TNKi30Z.
NUC11TNBi5, NUC11TNBi50Z, NUC11TNHi5,
NUC11TNHi50L, NUC11TNHi50W, NUC11TNHi50Z,
NUC11TNKi5, NUC11TNKi50Z.
NUC11TNBi7, NUC11TNBi70Z, NUC11TNHi7,
NUC11TNHi70L, NUC11TNHi70Q, NUC11TNHi70Z,
NUC11TNKi7, NUC11TNKi70Z. | TNTGL357 | CVE-2023-22449
CVE-2023-34349
Intel® NUC: NUC11PHKi7C, NUC11PHKi7CAA. | PHTGL579 | CVE-2023-22449
CVE-2023-34349
Intel® NUC Pro Compute Element:
NUC9V7QNB, NUC9V7QNX, NUC9VXQNB,
NUC9VXQNX. | QNCFLX70 |
Intel® NUC Rugged Kit:
NUC8CCHB, NUC8CCHBN, NUC8CCHKRN,
NUC8CCHKR. | CHAPLCEL | CVE-2023-22356
CVE-2023-32617
Intel® NUC Business, Intel® NUC Enthusiast, Intel® NUC Kit:
NUC8i7HNKQC, NUC8i7HVKVA, NUC8i7HVKVAW,
NUC8i7HVK, NUC8i7HNK. | HNKBKi70 | CVE-2023-22356
CVE-2022-36372
Intel® NUC Pro Kit, Intel® NUC Pro Board, Intel® NUC Pro Mini PC:
NUC11TNKv50Z, NUC11TNHv70L, NUC11TNHv50L,
NUC11TNKv5, NUC11TNKv7, NUC11TNHv5,
NUC11TNHv7, NUC11TNBv7, NUC11TNBv5,
NUC11TNKv5, NUC11TNKv7. | TNTGLV57 | CVE-2023-22356
Intel® NUC Kit: NUC6CAYH, NUC6CAYS.
Intel® NUC Mini PC, Intel® NUC Kit, Intel® NUC Enthusiast, Intel® NUC Board:
NUC7i3BNHXF, NUC7i3BNK, NUC7i3BNH,
NUC7i3BNB, NUC7i5BNHX1, NUC7i5BNH,
NUC7i5BNK,NUC7i5BNHXF, NUC7i5BNKP,
NUC7i5BNB, NUC7i7BNH, NUC7i7BNHX1,
NUC7i7BNHXG, NUC7i3BNHX1,NUC7i7BNKQ,
NUC7i7BNB.
Intel® Compute Element: STK2mv64CC.
| AYAPLCEL
Intel recommends updating the affected Intel® NUC BIOS firmware to the latest version (see provided table above).
The following issue was found internally by Intel employees. Intel would like to thank Page Wu, Kamal Lee, Jan Halvorsen, Poching Lee and Jack Hung (CVE-2023-32285).
The following issues were found by external researchers. Intel would like to thank Yngweijw (Jiawei Yin) (CVE-2023-34438, CVE-2023-32617, CVE-2023-34086), Another1024, Ccrack and Redapple (CVE-2023-34349) for reporting these issues.
The following issues were found separately by Intel employees and external researchers. Intel would like to thank the BINARLY efiXplorer team (CVE-2022-36372, CVE-2023-22449, CVE-2023-22356, CVE-2023-22444, CVE-2023-22330), Stan Chang (CVE-2023-22449) and Page Wu (CVE-2023-22444, CVE-2023-22330, CVE-2023-22356).
Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.