Lucene search

K
intelIntel Security CenterINTEL:INTEL-SA-01001
HistoryNov 14, 2023 - 12:00 a.m.

Intel® NUC Firmware Advisory

2023-11-1400:00:00
Intel Security Center
www.intel.com
13
intel
nuc
bios
firmware
security
advisory
privilege escalation
information disclosure
mitigations
cve-2022-34301
cve-2022-34303
cve-2022-34302
cve-2023-40220
cve-2023-40540
vulnerabilities
firmware updates
local access
buffer restrictions
microarchitectural resources
performance kit
mini pc
compute element
pro kit
pro board
nuc10i3fnh
nuc10i5fnh
nuc10i7fnh
nuc 8 compute element
nuc8i3pnb
nuc8i3pnh
nuc8i3pnk

AI Score

7.6

Confidence

High

EPSS

0.001

Percentile

34.5%

Summary:

Potential security vulnerabilities in some Intel® NUC BIOS firmware may allow escalation of privilege or information disclosure. Intel is releasing firmware updates to mitigate these potential vulnerabilities.

Vulnerability Details:

CVEID: CVE-2022-34301(Non-Intel issued)

Description: Download of Code Without Integrity Check in some Intel® NUC BIOS firmware may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 6.7 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVEID: CVE-2022-34303(Non-Intel issued)

Description: Download of Code Without Integrity Check in some Intel® NUC BIOS firmware may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 6.7 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVEID: CVE-2022-34302(Non-Intel issued)

Description: Download of Code Without Integrity Check in some Intel® NUC BIOS firmware may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 6.7 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVEID: CVE-2023-40220

Description: Improper buffer restrictions in some Intel® NUC BIOS firmware may allow a privileged user to potentially enable information disclosure via local access.

CVSS Base Score: 5.3 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N

CVEID: CVE-2023-40540

Description: Non-Transparent Sharing of Microarchitectural Resources in some Intel® NUC BIOS firmware may allow a privileged user to potentially enable information disclosure via local access.

CVSS Base Score: 4.1 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N

Affected Products:

Product

|

Download Link

|

CVE ID

—|—|—

Intel® NUC Performance Kit and Mini PC:
NUC10i3FNH, NUC10i3FNHF, NUC10i3FNHFA, NUC10i3FNHJA, NUC10i3FNHN, NUC10i3FNK, NUC10i3FNKN.

NUC10i5FNH, NUC10i5FNHCA, NUC10i5FNHF, NUC10i5FNHJA, NUC10i5FNHJ, NUC10i5FNHN, NUC10i5FNK, NUC10i5FNKN, NUC10i5FNKPA, NUC10i5FNKP.

NUC10i7FNH, NUC10i7FNHAA, NUC10i7FNHC, NUC10i7FNHJA, NUC10i7FNHN, NUC10i7FNK, NUC10i7FNKN, NUC10i7FNKP, NUC10i7FNKPA.

|

FNCML357

|

CVE-2022-34301

Intel® NUC 8 Compute Element:
CM8i3CB4N, CM8i5CB8N, CM8i7CB8N, CM8CCB4R, CM8PCB4R.

|

CBWHL357

|

CVE-2022-34301 CVE-2022-34302
CVE-2022-34303

Intel® NUC Pro Kit, Intel NUC Pro Board: NUC8i3PNB, NUC8i3PNH, NUC8i3PNK.

|

PNWHL357

|

CVE-2022-34301

Intel® NUC 11 Performance Kit, Intel NUC 11 Performance Mini PC:
NUC11PAHi3, NUC11PAHi30Z, NUC11PAKi3, NUC11PAHi5, NUC11PAHi50Z, NUC11PAKi5, NUC11PAQi50WA, NUC11PAHi7, NUC11PAHi70Z, NUC11PAKi7, NUC11PAQi70QA.

|

PATGL357

|

CVE-2023-40540
CVE-2022-34301
CVE-2022-34302
CVE-2022-34303

Intel® NUC Pro Board, Intel® NUC Pro Kit:
NUC12WSBi3, NUC12WSBi30Z, NUC12WSHi3, NUC12WSHi30L, NUC12WSHi30Z, NUC12WSKi3, NUC12WSKi30Z.

NUC12WSBi5, NUC12WSBi50Z, NUC12WSHi5, NUC12WSHi50Z, NUC12WSKi5, NUC12WSKi50Z.

NUC12WSBi70Z, NUC12WSHi7, NUC12WSHi70Z, NUC12WSKi7, NUC12WSKi70Z.

|

WSADL357

|

CVE-2022-34301

Intel® NUC Enthusiast:
NUC12SNKi72, NUC12SNKi72VA.

|

SNADL357

|

CVE-2022-34301

Intel® NUC Essential:
NUC11ATBC4, NUC11ATKC2, NUC11ATKC2, NUC11ATKC4, NUC11ATKPE.

|

ATJSLCPX

|

CVE-2022-34301

Intel® NUC Laptop Kit: LAPBC510, LAPBC710.

|

BCTGL357

|

CVE-2023-40540
CVE-2022-34301

Intel® NUC Laptop Kit: LAPKC51E, LAPKC71E, LAPKC71F.

|

KCTGL357

|

CVE-2023-40540
CVE-2022-34301
CVE-2022-34302
CVE-2022-34303

Intel® NUC Extreme Compute Element:
NUC11BTMi7, NUC11DBBi7, NUC11BTMi9, NUC11DBBi9.

|

DBTGL579

|

CVE-2022-34301
CVE-2022-34302
CVE-2022-34303

Intel® NUC Boards:
NUC11TNBi3, NUC11TNBi30Z, NUC11TNHi3, NUC11TNHi30L, NUC11TNHi30P, NUC11TNHi30Z, NUC11TNKi3, NUC11TNKi30Z.

NUC11TNBi5, NUC11TNBi50Z, NUC11TNHi5, NUC11TNHi50L, NUC11TNHi50W, NUC11TNHi50Z, NUC11TNKi5, NUC11TNKi50Z.

NUC11TNBi7, NUC11TNBi70Z, NUC11TNHi7, NUC11TNHi70L,

NUC11TNHi70Q, NUC11TNHi70Z, NUC11TNKi7, NUC11TNKi70Z.

|

TNTGL357

|

CVE-2023-40540
CVE-2022-34301
CVE-2022-34302
CVE-2022-34303

Intel® NUC: NUC11PHKi7C, NUC11PHKi7CAA.

|

PHTGL579

|

CVE-2023-40540
CVE-2022-34301

Intel® NUC Pro Compute Element:
NUC9V7QNB, NUC9V7QNX, NUC9VXQNB, NUC9VXQNX.

|

QNCFLX70

|

CVE-2022-34301

Intel® NUC 9 Extreme Laptop Kit:
LAPQC71B, LAPQC71D, LAPQC71C, LAPQC71A.

|

QCCFL357

|

CVE-2023-40540

Intel® NUC Rugged Kit:
NUC8CCHB, NUC8CCHBN, NUC8CCHKRN, NUC8CCHKR.

|

CHAPLCEL

|

CVE-2022-34301

Intel® NUC Pro Kit, Intel® NUC Pro Board, Intel® NUC Pro Mini PC:
NUC11TNKv50Z, NUC11TNHv70L, NUC11TNHv50L, NUC11TNKv5, NUC11TNKv7, NUC11TNHv5, NUC11TNHv7, NUC11TNBv7, NUC11TNBv5, NUC11TNKv5, NUC11TNKv7.

|

TNTGLV57

|

CVE-2022-34301
CVE-2023-40540
CVE-2022-34303

Intel® NUC Kit: NUC6CAYH, NUC6CAYS.

|

AYAPLCEL

|

CVE-2023-40220

Recommendation:

Intel recommends updating the affected Intel® NUC BIOS firmware to the latest version (see provided table above).

Acknowledgements:

Intel would like to thank Mickey Shkatov, Jesse Michael of Eclypsium (CVE-2022-34301, CVE-2022-34303, CVE-2022-34302), Yngweijw (Jiawei Yin) (CVE-2023-40220) and the Binarly efiXplorer team (CVE-2023-40540) for reporting these issues.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.