Lucene search

Intel Security CenterINTEL:INTEL-SA-01001

HistoryNov 14, 2023 - 12:00 a.m.

Intel® NUC Firmware Advisory

2023-11-1400:00:00

Intel Security Center

www.intel.com

intel

nuc

bios

firmware

security

advisory

privilege escalation

information disclosure

mitigations

cve-2022-34301

cve-2022-34303

cve-2022-34302

cve-2023-40220

cve-2023-40540

vulnerabilities

firmware updates

local access

buffer restrictions

microarchitectural resources

performance kit

mini pc

compute element

pro kit

pro board

nuc10i3fnh

nuc10i5fnh

nuc10i7fnh

nuc 8 compute element

nuc8i3pnb

nuc8i3pnh

nuc8i3pnk

7.6 High

AI Score

Confidence

High

JSON

Summary:

Potential security vulnerabilities in some Intel® NUC BIOS firmware may allow escalation of privilege or information disclosure. Intel is releasing firmware updates to mitigate these potential vulnerabilities.

Vulnerability Details:

CVEID: CVE-2022-34301(Non-Intel issued)

Description: Download of Code Without Integrity Check in some Intel® NUC BIOS firmware may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 6.7 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVEID: CVE-2022-34303(Non-Intel issued)

Description: Download of Code Without Integrity Check in some Intel® NUC BIOS firmware may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 6.7 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVEID: CVE-2022-34302(Non-Intel issued)

Description: Download of Code Without Integrity Check in some Intel® NUC BIOS firmware may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 6.7 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVEID: CVE-2023-40220

Description: Improper buffer restrictions in some Intel® NUC BIOS firmware may allow a privileged user to potentially enable information disclosure via local access.

CVSS Base Score: 5.3 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N

CVEID: CVE-2023-40540

Description: Non-Transparent Sharing of Microarchitectural Resources in some Intel® NUC BIOS firmware may allow a privileged user to potentially enable information disclosure via local access.

CVSS Base Score: 4.1 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N

Affected Products:

Product

Download Link

CVE ID

—|—|—

Intel® NUC Performance Kit and Mini PC:
NUC10i3FNH, NUC10i3FNHF, NUC10i3FNHFA, NUC10i3FNHJA, NUC10i3FNHN, NUC10i3FNK, NUC10i3FNKN.

NUC10i5FNH, NUC10i5FNHCA, NUC10i5FNHF, NUC10i5FNHJA, NUC10i5FNHJ, NUC10i5FNHN, NUC10i5FNK, NUC10i5FNKN, NUC10i5FNKPA, NUC10i5FNKP.

NUC10i7FNH, NUC10i7FNHAA, NUC10i7FNHC, NUC10i7FNHJA, NUC10i7FNHN, NUC10i7FNK, NUC10i7FNKN, NUC10i7FNKP, NUC10i7FNKPA.

FNCML357

CVE-2022-34301

Intel® NUC 8 Compute Element:
CM8i3CB4N, CM8i5CB8N, CM8i7CB8N, CM8CCB4R, CM8PCB4R.

CBWHL357

CVE-2022-34301 CVE-2022-34302
CVE-2022-34303

Intel® NUC Pro Kit, Intel NUC Pro Board: NUC8i3PNB, NUC8i3PNH, NUC8i3PNK.

PNWHL357

CVE-2022-34301

Intel® NUC 11 Performance Kit, Intel NUC 11 Performance Mini PC:
NUC11PAHi3, NUC11PAHi30Z, NUC11PAKi3, NUC11PAHi5, NUC11PAHi50Z, NUC11PAKi5, NUC11PAQi50WA, NUC11PAHi7, NUC11PAHi70Z, NUC11PAKi7, NUC11PAQi70QA.

PATGL357

CVE-2023-40540
CVE-2022-34301
CVE-2022-34302
CVE-2022-34303

Intel® NUC Pro Board, Intel® NUC Pro Kit:
NUC12WSBi3, NUC12WSBi30Z, NUC12WSHi3, NUC12WSHi30L, NUC12WSHi30Z, NUC12WSKi3, NUC12WSKi30Z.

NUC12WSBi5, NUC12WSBi50Z, NUC12WSHi5, NUC12WSHi50Z, NUC12WSKi5, NUC12WSKi50Z.

NUC12WSBi70Z, NUC12WSHi7, NUC12WSHi70Z, NUC12WSKi7, NUC12WSKi70Z.

WSADL357

CVE-2022-34301

Intel® NUC Enthusiast:
NUC12SNKi72, NUC12SNKi72VA.

SNADL357

CVE-2022-34301

Intel® NUC Essential:
NUC11ATBC4, NUC11ATKC2, NUC11ATKC2, NUC11ATKC4, NUC11ATKPE.

ATJSLCPX

CVE-2022-34301

Intel® NUC Laptop Kit: LAPBC510, LAPBC710.

BCTGL357

CVE-2023-40540
CVE-2022-34301

Intel® NUC Laptop Kit: LAPKC51E, LAPKC71E, LAPKC71F.

KCTGL357

CVE-2023-40540
CVE-2022-34301
CVE-2022-34302
CVE-2022-34303

Intel® NUC Extreme Compute Element:
NUC11BTMi7, NUC11DBBi7, NUC11BTMi9, NUC11DBBi9.

DBTGL579

CVE-2022-34301
CVE-2022-34302
CVE-2022-34303

Intel® NUC Boards:
NUC11TNBi3, NUC11TNBi30Z, NUC11TNHi3, NUC11TNHi30L, NUC11TNHi30P, NUC11TNHi30Z, NUC11TNKi3, NUC11TNKi30Z.

NUC11TNBi5, NUC11TNBi50Z, NUC11TNHi5, NUC11TNHi50L, NUC11TNHi50W, NUC11TNHi50Z, NUC11TNKi5, NUC11TNKi50Z.

NUC11TNBi7, NUC11TNBi70Z, NUC11TNHi7, NUC11TNHi70L,

NUC11TNHi70Q, NUC11TNHi70Z, NUC11TNKi7, NUC11TNKi70Z.

TNTGL357

CVE-2023-40540
CVE-2022-34301
CVE-2022-34302
CVE-2022-34303

Intel® NUC: NUC11PHKi7C, NUC11PHKi7CAA.

PHTGL579

CVE-2023-40540
CVE-2022-34301

Intel® NUC Pro Compute Element:
NUC9V7QNB, NUC9V7QNX, NUC9VXQNB, NUC9VXQNX.

QNCFLX70

CVE-2022-34301

Intel® NUC 9 Extreme Laptop Kit:
LAPQC71B, LAPQC71D, LAPQC71C, LAPQC71A.

QCCFL357

CVE-2023-40540

Intel® NUC Rugged Kit:
NUC8CCHB, NUC8CCHBN, NUC8CCHKRN, NUC8CCHKR.

CHAPLCEL

CVE-2022-34301

Intel® NUC Pro Kit, Intel® NUC Pro Board, Intel® NUC Pro Mini PC:
NUC11TNKv50Z, NUC11TNHv70L, NUC11TNHv50L, NUC11TNKv5, NUC11TNKv7, NUC11TNHv5, NUC11TNHv7, NUC11TNBv7, NUC11TNBv5, NUC11TNKv5, NUC11TNKv7.

TNTGLV57

CVE-2022-34301
CVE-2023-40540
CVE-2022-34303

Intel® NUC Kit: NUC6CAYH, NUC6CAYS.

AYAPLCEL

CVE-2023-40220

Recommendation:

Intel recommends updating the affected Intel® NUC BIOS firmware to the latest version (see provided table above).

Acknowledgements:

Intel would like to thank Mickey Shkatov, Jesse Michael of Eclypsium (CVE-2022-34301, CVE-2022-34303, CVE-2022-34302), Yngweijw (Jiawei Yin) (CVE-2023-40220) and the Binarly efiXplorer team (CVE-2023-40540) for reporting these issues.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.