Potential security vulnerabilities in some Intel® NUCs may allow escalation of privilege. Intel is releasing firmware updates to mitigate these potential vulnerabilities.****
CVEID: CVE-2022-24382
Description: Improper input validation in firmware for some Intel® NUCs may allow a privileged user to potentially enable escalation of privilege via local access.
CVSS Base Score: 7.5 High
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H****
CVEID: CVE-2022-24297
Description: Improper buffer restrictions in firmware for some Intel® NUCs may allow a privileged user to potentially enable escalation of privilege via local access.
CVSS Base Score: 7.5 High
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H****
CVEID: CVE-2022-21237
Description: Improper buffer access in firmware for some Intel® NUCs may allow a privileged user to potentially enable escalation of privilege via local access.
CVSS Base Score: 7.5 High
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H****
Intel® NUC products with BIOS before version listed in table below are affected:
Product
|
BIOS Fixed Version Download Link
—|—
Intel® NUC M15 Laptop Kit - LAPBC510, LAPBC710
|
Intel® NUC X15 Laptop Kits - LAPKC71F, LAPKC71E, LAPKC51E
|
Intel® NUC Extreme Compute Element NUC11DBBi9 and NUC11DBBi7, and Intel® NUC 11 Extreme Kit NUC11BTMi7 and NUC11BTMi9
|
Intel® NUC 11 Compute Element CM11EBC4W, CM11EBi38W, CM11EBi58W, CM11EBi716W
|
Intel® NUC Kits NUC11PAQ, NUC11PAH, NUC11PA
|
Intel® NUC Boards/Kits NUC11TN[x]i3, NUC11TN[x]i5, NUC11TN[x]i7
|
Intel® NUC11PHKi7C, NUC11PHKi7CAA
|
Intel® NUC 9 Pro Compute Element - NUC9V7QNB, NUC9VXQNB
Intel® NUC 9 Pro Kit - NUC9V7QNX, NUC9VXQNX
|
Intel® NUC9i5QN, NUC9i7QN, NUC9i9QN
|
Intel® NUC Kits NUC8i3CYSM and NUC8i3CYSN
|
Intel® NUC 8 Compute Element CM8CCB, CM8i3CB, CM8i5CB, CM8i7CB, CM8PCB
|
Intel® NUC Kit NUC8i7BE, NUC8i5BE, and NUC8i3B
|
Intel recommends updating the affected Intel® NUC BIOS firmware to the latest version (see provided table above).
Updates are available for download at the locations listed in the provided table above.
Intel would like to thank Yngweijw (CVE-2022-24382) and Dmitry Frolov (CVE-2022-24297, CVE-2022-21237) for reporting these issues.
Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.