Headline
CVE-2022-21933: ASUS VivoMini/Mini PC - improper input validation
ASUS VivoMini/Mini PC device has an improper input validation vulnerability. A local attacker with system privilege can use system management interrupt (SMI) to modify memory, resulting in arbitrary code execution for controlling the system or disrupting service.
:::
- 首頁
- 資安服務
- 台灣漏洞揭露平台 (TVN)
- TVN (Taiwan Vulnerability Note) 漏洞公告
TVN ID
TVN-202201001
CVE ID
CVE-2022-21933
CVSS
6.7 (Medium)
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
影響產品
ASUS VivoMini/Mini PC
受影響產品清單:
ASUS VC65-C1 BIOS version < 1302
ASUS PB60V BIOS version < 1302
ASUS PB60G BIOS version < 1302
ASUS PB60S BIOS version <1302
ASUS PA90 BIOS version < 1401
ASUS PB50 BIOS version < 902
ASUS PB60 BIOS version < 1502
ASUS PB61V BIOS version < 601
ASUS TS10 BIOS version < 609
ASUS PN40 BIOS version < 2201
ASUS PN60 BIOS version < 808
ASUS PN30 BIOS version < 320
ASUS UN65U BIOS version < 618
問題描述
ASUS VivoMini/Mini PC設備存在improper input validation漏洞,Local端的攻擊者獲得作業系統權限後,利用BIOS系統管理中斷(System Management Interrupt,簡稱SMI)修改記憶體,導致可執行任意程式碼,藉以控制系統或中斷服務。
解決方法
BIOS Update,詳細請見 https://www.asus.com/content/ASUS-Product-Security-Advisory/
漏洞通報者
Yngweijw (IIE Varas)
公開日期
2022-01-20