Intel Security CenterINTEL:INTEL-SA-01009Intel® NUC BIOS Firmware Advisory
Summary:
Potential security vulnerabilities in some Intel® NUC BIOS firmware may allow escalation of privilege. Intel is releasing firmware updates to mitigate these potential vulnerabilities.
Vulnerability Details:
CVEID: CVE-2023-28738
Description: Improper input validation for some Intel® NUC BIOS firmware before version JY0070 may allow a privileged user to potentially enable escalation of privilege via local access.
CVSS Base Score: 7.5 High
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CVEID: CVE-2023-28743
Description: Improper input validation for some Intel® NUC BIOS firmware before version QN0073 may allow a privileged user to potentially enable escalation of privilege via local access.
CVSS Base Score: 7.5 High
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CVEID: CVE-2023-29495
Description: Improper input validation for some Intel® NUC BIOS firmware before version IN0048 may allow a privileged user to potentially enable escalation of privilege via local access.
CVSS Base Score: 7.5 High
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CVEID: CVE-2023-28722
Description: Improper buffer restrictions for some Intel® NUC BIOS firmware before version IN0048 may allow a privileged user to potentially enable escalation of privilege via local access.
CVSS Base Score: 6.7 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:H
Affected Products:
| Product | Download Link | CVE ID |
|---|---|---|
| Intel® NUC 8 Mainstream-G Kit: |
NUC8i7INH, NUC8i5INH | INWHL357.0049 | [CVE-2023-28722
](<https://vulners.com/cve/CVE-2023-28722> “CVE-2023-28722” )CVE-2023-29495
Intel® NUC 7 Essential and Intel® NUC Kit:
NUC7CJYSAMN, NUC7CJYHN
NUC7PJYHN, NUC7PJYH
NUC7CJYSAL, NUC7CJYH | JYGLKCPX.0071 | CVE-2023-28738
Intel® NUC 9 Pro Compute and Pro Kit:
NUC9V7QNB, NUC9V7QNX | QNCFLX70.0073 | CVE-2023-28743
Recommendation:
Intel recommends updating the affected Intel® NUC BIOS firmware to the latest version (see provided table above).
After January 15th, 2024 please refer to theNUC transition pagefor updates to affected products.
Acknowledgements:
Intel would like to thank Yngweijw and Eason (CVE-2023-28738, CVE-2023-28743), Qingzhe Jiang and another1024 (CVE-2023-29495, CVE-2023-28722 ) for reporting these issues.
Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.
Related
