Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-34390: DSA-2022-269: Dell Client Platform BIOS Security Update for Alienware Area-51 R4/R5

Dell BIOS contains a use of uninitialized variable vulnerability. A local authenticated malicious user may potentially exploit this vulnerability by using an SMI to gain arbitrary code execution in SMRAM.

CVE
#vulnerability#ios#intel#bios#auth#dell

Vaikutus

High

Tiedot

Third-party Component

CVE(s)

More Information

Intel® CSME, Intel® SPS, Intel® TXE, Intel® DAL, and Intel® AMT 2019.1 QSR Advisory

CVE-2019-0086

INTEL-SA-00213

CVE-2019-0091

CVE-2019-0093

2019.2 IPU – Intel® CSME, Intel® SPS, Intel® TXE, Intel® AMT, Intel® PTT and Intel® DAL Advisory

CVE-2019-0169

INTEL-SA-00241

CVE-2019-11147

CVE-2019-11104

CVE-2019-11090

CVE-2019-11087

CVE-2019-11101

2020.1 IPU – Intel® CSME, SPS, TXE, AMT, ISM and DAL Advisory

CVE-2020-0536

INTEL-SA-00295

CVE-2020-0539

CVE-2020-0545

2020.2 IPU – Intel® CSME, SPS, TXE, AMT and DAL Advisory

CVE-2020-8745

INTEL-SA-00391

CVE-2020-8705

CVE-2020-12303

CVE-2020-12355

2020.2 IPU – BIOS Advisory

CVE-2020-0587

INTEL-SA-00358

CVE-2020-0591

CVE-2020-0592

CVE-2020-0593

Intel BIOS Platform Sample Code Advisory

CVE-2020-8738

INTEL-SA-00390

CVE-2020-8739

CVE-2020-8740

CVE-2020-8764

2021.1 IPU – Intel® CSME, SPS and LMS Advisory

CVE-2020-24507

INTEL-SA-00459

CVE-2020-8703

2021.1 IPU – BIOS Advisory

CVE-2020-12358

INTEL-SA-00463

CVE-2020-12360

CVE-2020-24486

Intel BSSA DFT Advisory

CVE-2021-0144

INTEL-SA-00525

BIOS Reference Code Advisory

CVE-2021-0157

INTEL-SA-00562

2021.2 IPU - Intel® Processor Breakpoint Control Flow Advisory

CVE-2021-0127

Intel-SA-00532

Intel® CSME, Intel® SPS, Intel® TXE, Intel® DAL, and Intel® AMT 2019.1 QSR Advisory

CVE-2019-0086

INTEL-SA-00213

CVE-2019-0091

CVE-2019-0093

Proprietary Code CVE(s)

Description

CVSS Base Score

CVSS Vector String

CVE-2022-34390

Dell BIOS contains a use of uninitialized variable vulnerability. A local authenticated malicious user may potentially exploit this vulnerability by using an SMI to gain arbitrary code execution in SMRAM.

7.5

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2022-34391

Dell Client BIOS Versions prior to the remediated version contain an improper input validation vulnerability. A local authenticated malicious user may potentially exploit this vulnerability by using an SMI to gain arbitrary code execution in SMRAM.

7.5

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Third-party Component

CVE(s)

More Information

Intel® CSME, Intel® SPS, Intel® TXE, Intel® DAL, and Intel® AMT 2019.1 QSR Advisory

CVE-2019-0086

INTEL-SA-00213

CVE-2019-0091

CVE-2019-0093

2019.2 IPU – Intel® CSME, Intel® SPS, Intel® TXE, Intel® AMT, Intel® PTT and Intel® DAL Advisory

CVE-2019-0169

INTEL-SA-00241

CVE-2019-11147

CVE-2019-11104

CVE-2019-11090

CVE-2019-11087

CVE-2019-11101

2020.1 IPU – Intel® CSME, SPS, TXE, AMT, ISM and DAL Advisory

CVE-2020-0536

INTEL-SA-00295

CVE-2020-0539

CVE-2020-0545

2020.2 IPU – Intel® CSME, SPS, TXE, AMT and DAL Advisory

CVE-2020-8745

INTEL-SA-00391

CVE-2020-8705

CVE-2020-12303

CVE-2020-12355

2020.2 IPU – BIOS Advisory

CVE-2020-0587

INTEL-SA-00358

CVE-2020-0591

CVE-2020-0592

CVE-2020-0593

Intel BIOS Platform Sample Code Advisory

CVE-2020-8738

INTEL-SA-00390

CVE-2020-8739

CVE-2020-8740

CVE-2020-8764

2021.1 IPU – Intel® CSME, SPS and LMS Advisory

CVE-2020-24507

INTEL-SA-00459

CVE-2020-8703

2021.1 IPU – BIOS Advisory

CVE-2020-12358

INTEL-SA-00463

CVE-2020-12360

CVE-2020-24486

Intel BSSA DFT Advisory

CVE-2021-0144

INTEL-SA-00525

BIOS Reference Code Advisory

CVE-2021-0157

INTEL-SA-00562

2021.2 IPU - Intel® Processor Breakpoint Control Flow Advisory

CVE-2021-0127

Intel-SA-00532

Intel® CSME, Intel® SPS, Intel® TXE, Intel® DAL, and Intel® AMT 2019.1 QSR Advisory

CVE-2019-0086

INTEL-SA-00213

CVE-2019-0091

CVE-2019-0093

Proprietary Code CVE(s)

Description

CVSS Base Score

CVSS Vector String

CVE-2022-34390

Dell BIOS contains a use of uninitialized variable vulnerability. A local authenticated malicious user may potentially exploit this vulnerability by using an SMI to gain arbitrary code execution in SMRAM.

7.5

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2022-34391

Dell Client BIOS Versions prior to the remediated version contain an improper input validation vulnerability. A local authenticated malicious user may potentially exploit this vulnerability by using an SMI to gain arbitrary code execution in SMRAM.

7.5

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Dell Technologies suosittelee, että kaikki asiakkaat ottavat huomioon sekä CVSS-peruspistemäärän että kaikki asiaankuuluvat väliaikaiset ja ympäristöön liittyvät pisteet, jotka voivat vaikuttaa tietyn tietoturvahaavoittuvuuden mahdolliseen vakavuuteen.

Tuotteet, joihin asia vaikuttaa ja tilanteen korjaaminen

See the table below for Dell Client BIOS releases containing resolutions to these vulnerabilities. Dell recommends all customers update at the earliest opportunity.

Go to the Drivers and Downloads site for updates on the applicable products. To learn more, see Dell KB article Dell BIOS Updates, and download the update for your Dell computer.

Customers may use one of the Dell notification solutions to be notified and download driver, BIOS, and firmware updates automatically once available.

Product

BIOS Update Version

BIOS Release Date

Alienware Area-51 R4

2.0.6

08/30/2022

Alienware Area-51 R5

2.0.6

08/30/2022

See the table below for Dell Client BIOS releases containing resolutions to these vulnerabilities. Dell recommends all customers update at the earliest opportunity.

Go to the Drivers and Downloads site for updates on the applicable products. To learn more, see Dell KB article Dell BIOS Updates, and download the update for your Dell computer.

Customers may use one of the Dell notification solutions to be notified and download driver, BIOS, and firmware updates automatically once available.

Product

BIOS Update Version

BIOS Release Date

Alienware Area-51 R4

2.0.6

08/30/2022

Alienware Area-51 R5

2.0.6

08/30/2022

Keinoja ongelman kiertämiseen tai lieventämiseen

None

Versiohistoria

Revision

Date

Description

1.0

2022/09/30

Initial Release

Asiaan liittyvät tiedot

Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide

Lisätietoja

Dell Technologies would like to thank yngweijw for reporting CVE-2022-34390 and CVE-2022-34391.

30 syysk. 2022

Related news

Gentoo Linux Security Advisory 202402-22

Gentoo Linux Security Advisory 202402-22 - Multiple vulnerabilities have been discovered in intel-microcode, the worst of which can lead to privilege escalation. Versions greater than or equal to 20230214_p20230212 are affected.

CVE-2023-25509: NVIDIA Support

NVIDIA DGX-1 SBIOS contains a vulnerability in Bds, which may lead to code execution, denial of service, and escalation of privileges.

CVE-2023-23692: DSA-2022-187: Dell Technologies PowerProtect Data Domain Security Update for Multiple Third-Party Component Vulnerabilities

Dell EMC prior to version DDOS 7.9 contain(s) an OS command injection Vulnerability. An authenticated non admin attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application.

CVE-2022-46756: DSA-2022-335: Dell VxRail Security Update for Multiple Third-Party Component Vulnerabilities

Dell VxRail, versions prior to 7.0.410, contain a Container Escape Vulnerability. A local high-privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the container's underlying OS. Exploitation may lead to a system take over by an attacker.

CVE-2022-34456: DSA-2022-267: Dell EMC Metronode VS5 Security Update for Multiple Third-Party Component Vulnerabilities

Dell EMC Metro node, Version(s) prior to 7.1, contain a Code Injection Vulnerability. An authenticated nonprivileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application.

CVE-2022-34439: DSA-2022-245: Dell EMC PowerScale OneFS Security Update for Multiple Security Updates

Dell PowerScale OneFS, versions 8.2.0.x-9.4.0.x contain allocation of Resources Without Limits or Throttling vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to denial of service and performance issue on that node.

CVE-2022-35408: Insyde's Security Pledge | Insyde Software

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. An SMM callout vulnerability in the SMM driver in UsbLegacyControlSmm leads to possible arbitrary code execution in SMM and escalation of privileges. An attacker could overwrite the function pointers in the EFI_BOOT_SERVICES table before the USB SMI handler triggers. (This is not exploitable from code running in the operating system.)

CVE-2022-35408: Insyde's Security Pledge | Insyde Software

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. An SMM callout vulnerability in the SMM driver in UsbLegacyControlSmm leads to possible arbitrary code execution in SMM and escalation of privileges. An attacker could overwrite the function pointers in the EFI_BOOT_SERVICES table before the USB SMI handler triggers. (This is not exploitable from code running in the operating system.)

CVE-2022-35408: Insyde's Security Pledge | Insyde Software

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. An SMM callout vulnerability in the SMM driver in UsbLegacyControlSmm leads to possible arbitrary code execution in SMM and escalation of privileges. An attacker could overwrite the function pointers in the EFI_BOOT_SERVICES table before the USB SMI handler triggers. (This is not exploitable from code running in the operating system.)

Ubuntu Security Notice USN-5535-1

Ubuntu Security Notice 5535-1 - Joseph Nuzman discovered that some Intel processors did not properly initialise shared resources. A local attacker could use this to obtain sensitive information. Mark Ermolov, Dmitry Sklyarov and Maxim Goryachy discovered that some Intel processors did not prevent test and debug logic from being activated at runtime. A local attacker could use this to escalate privileges.

Ubuntu Security Notice USN-5486-1

Ubuntu Security Notice 5486-1 - It was discovered that some Intel processors did not implement sufficient control flow management. A local attacker could use this to cause a denial of service. Joseph Nuzman discovered that some Intel processors did not properly initialise shared resources. A local attacker could use this to obtain sensitive information. Mark Ermolov, Dmitry Sklyarov and Maxim Goryachy discovered that some Intel processors did not prevent test and debug logic from being activated at runtime. A local attacker could use this to escalate privileges.

CVE-2022-29085: DSA-2022-021: Dell Unity, Dell UnityVSA, and Dell Unity XT Security Update for Multiple Vulnerabilities

Dell Unity, Dell UnityVSA, and Dell Unity XT versions prior to 5.2.0.0.5.173 contain a plain-text password storage vulnerability when certain off-array tools are run on the system. The credentials of a user with high privileges are stored in plain text. A local malicious user with high privileges may use the exposed password to gain access with the privileges of the compromised user.

CVE-2020-8700: INTEL-SA-00463

Improper input validation in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

CVE-2020-8700: INTEL-SA-00463

Improper input validation in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

CVE-2020-8700: INTEL-SA-00463

Improper input validation in the firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

CVE-2020-0590: INTEL-SA-00358

Improper input validation in BIOS firmware for some Intel(R) Processors may allow an authenticated user to potentially enable escalation of privilege via local access.

CVE-2020-8738: INTEL-SA-00390

Improper conditions check in Intel BIOS platform sample code for some Intel(R) Processors before may allow a privileged user to potentially enable escalation of privilege via local access.

CVE-2020-8738: INTEL-SA-00390

Improper conditions check in Intel BIOS platform sample code for some Intel(R) Processors before may allow a privileged user to potentially enable escalation of privilege via local access.

CVE-2020-8738: INTEL-SA-00390

Improper conditions check in Intel BIOS platform sample code for some Intel(R) Processors before may allow a privileged user to potentially enable escalation of privilege via local access.

CVE-2020-8738: INTEL-SA-00390

Improper conditions check in Intel BIOS platform sample code for some Intel(R) Processors before may allow a privileged user to potentially enable escalation of privilege via local access.

CVE-2020-8745: INTEL-SA-00391

Insufficient control flow management in subsystem for Intel(R) CSME versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70, 13.0.40, 13.30.10, 14.0.45 and 14.5.25 , Intel(R) TXE versions before 3.1.80 and 4.0.30 may allow an unauthenticated user to potentially enable escalation of privilege via physical access.

CVE-2019-0097: INTEL-SA-00213

Insufficient input validation vulnerability in subsystem for Intel(R) AMT before version 12.0.35 may allow a privileged user to potentially enable denial of service via network access.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907