Potential security vulnerabilities in some Intel® NUC BIOS firmware may allow escalation of privilege. Intel is releasing firmware updates to mitigate these potential vulnerabilities.
CVEID: CVE-2023-28738
Description: Improper input validation for some Intel® NUC BIOS firmware before version JY0070 may allow a privileged user to potentially enable escalation of privilege via local access.
CVSS Base Score: 7.5 High
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CVEID: CVE-2023-28743
Description: Improper input validation for some Intel® NUC BIOS firmware before version QN0073 may allow a privileged user to potentially enable escalation of privilege via local access.
CVSS Base Score: 7.5 High
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CVEID: CVE-2023-29495
Description: Improper input validation for some Intel® NUC BIOS firmware before version IN0048 may allow a privileged user to potentially enable escalation of privilege via local access.
CVSS Base Score: 7.5 High
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CVEID: CVE-2023-28722
Description: Improper buffer restrictions for some Intel® NUC BIOS firmware before version IN0048 may allow a privileged user to potentially enable escalation of privilege via local access.
CVSS Base Score: 6.7 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:H
Product | Download Link | CVE ID |
---|---|---|
Intel® NUC 8 Mainstream-G Kit: |
NUC8i7INH, NUC8i5INH | INWHL357.0049 | [CVE-2023-28722
](<https://vulners.com/cve/CVE-2023-28722> “CVE-2023-28722” )CVE-2023-29495
Intel® NUC 7 Essential and Intel® NUC Kit:
NUC7CJYSAMN, NUC7CJYHN
NUC7PJYHN, NUC7PJYH
NUC7CJYSAL, NUC7CJYH | JYGLKCPX.0071 | CVE-2023-28738
Intel® NUC 9 Pro Compute and Pro Kit:
NUC9V7QNB, NUC9V7QNX | QNCFLX70.0073 | CVE-2023-28743
Intel recommends updating the affected Intel® NUC BIOS firmware to the latest version (see provided table above).
After January 15th, 2024 please refer to theNUC transition pagefor updates to affected products.
Intel would like to thank Yngweijw and Eason (CVE-2023-28738, CVE-2023-28743), Qingzhe Jiang and another1024 (CVE-2023-29495, CVE-2023-28722 ) for reporting these issues.
Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.