Intel® Server Board and Server System Firmware Advisory

Summary:

Potential security vulnerabilities in some Intel® Server Board and Server System BIOS firmware may allow escalation of privilege. Intel is releasing firmware updates to mitigate these potential vulnerabilities.

Vulnerability Details:

CVEID: CVE-2023-34431

Description: Improper input validation in some Intel® Server Board BIOS firmware may allow a privileged user to potentially enable escalation of privilege via local access

CVSS Base Score: 8.2 High

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2022-33945

Description: Improper input validation in some Intel® Server board and Intel® Server System BIOS firmware may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 8.2 High

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2022-29262

Description: Improper buffer restrictions in some Intel® Server Board BIOS firmware may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.9 High

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H

CVEID: CVE-2022-24379

Description: Improper input validation in some Intel® Server System M70KLP Family BIOS firmware before version 01.04.0029 may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.5 High

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2022-29510

Description: Improper buffer restrictions in some Intel® Server Board M10JNP2SB BIOS firmware before version 7.219 may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.5 High

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Affected Products:

Intel® Server M20NTP Family BIOS firmware before version 0022.D02 in the following products:

• Intel® Server System M20NTP1UR304
• Intel® Server Board M20NTP2SB

Intel® Server System M70KLP Family BIOS firmware before version 01.04.0029 in the following products:

• Intel® Server System M70KLP4S2UHH
• Intel® Server Board M70KLP2SB

Intel® Server Board M10JNP2SB Family BIOS firmware before version 7.219 in the following products:

• Intel® Server Board M10JNP2SB

Intel® Server Board S2600BP Family BIOS firmware before version 02.01.0015 in the following products:

• Intel® Server Board: S2600BPBR, S2600BPS, S2600BPSR, S2600BPQR, S2600BPB, S2600BPQ.
• Intel® Compute Module:
  HNS2600BPBLCR, HNS2600BPBLC, HNS2600BPBLC24R, HNS2600BPS, HNS2600BPS24, HNS2600BPBR, HNS2600BPQR, HNS2600BPSR, HNS2600BPS24R, HNS2600BPQ24R, HNS2600BPB24, HNS2600BPB, HNS2600BPBLC24, HNS2600BPQ, HNS2600BPQ24.
• Intel® Compute Module Liquid-Cooled: HNS2600BPBRCT
• Intel® Server System: VRN2224BPAF6, VRN2224BPHY6, MCB2208WFAF5, ZSB2224BPAF2, ZSB2224BPHY1, ZSB2224BPAF1.

Recommendation:

Intel recommends updating the firmware for the affected Intel® Server Board and Intel® Server System to the latest versions:

• Updates for Intel® Server M20NTP Family BIOS firmware can be found here.
• Updates for Intel® Server System M70KLP Family BIOS firmware can be found here.
• Updates for Intel® Server Board M10JNP2SB Family BIOS firmware can be found here.
• Updates for Intel® Server Board S2600BP Family BIOS firmware can be found here.

Acknowledgements:

Intel would like to thank Yngweijw (Jiawei Yin) (CVE-2023-34431, CVE-2022-33945, CVE-2022-29262), the BINARLY efiXplorer team and Aviram Shemesh (Kameleon) (CVE-2022-29510), and Dmitry Frolov (CVE-2022-24379) for reporting these issues.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.