Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user with admin privileges may potentially exploit this vulnerability in order to modify a UEFI variable.

**Vaikutus**

High

**Tiedot**

**Proprietary Code CVE(s)**

**Description**

**CVSS Base Score**

**CVSS Vector String**

CVE-2022-32483

Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user with admin privileges may potentially exploit this vulnerability in order to modify a UEFI variable.

5.6

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L

CVE-2022-32484

Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user with admin privileges may potentially exploit this vulnerability in order to modify a UEFI variable.

5.6

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L

CVE-2022-32485

Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user may potentially exploit this vulnerability by using an SMI to gain arbitrary code execution in SMRAM.

7.5

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2022-32487

Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user may potentially exploit this vulnerability by using an SMI to gain arbitrary code execution in SMRAM.

7.5

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2022-32488

Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user may potentially exploit this vulnerability by using an SMI to gain arbitrary code execution in SMRAM.

8.2

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2022-32489

Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user may potentially exploit this vulnerability by using an SMI to gain arbitrary code execution in SMRAM.

8.2

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2022-32491

Dell BIOS contains a Buffer Overflow vulnerability. A local authenticated malicious user may potentially exploit this vulnerability by manipulating an SMI to cause an arbitrary write during SMM.

4.1

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N

CVE-2022-32493

Dell BIOS contains a Stack-Based Buffer Overflow vulnerability. A local authenticated malicious user may potentially exploit this vulnerability by using an SMI to gain arbitrary code execution in SMRAM.

6.0

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

  

**Proprietary Code CVE(s)**

**Description**

**CVSS Base Score**

**CVSS Vector String**

CVE-2022-32483

Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user with admin privileges may potentially exploit this vulnerability in order to modify a UEFI variable.

5.6

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L

CVE-2022-32484

Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user with admin privileges may potentially exploit this vulnerability in order to modify a UEFI variable.

5.6

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L

CVE-2022-32485

Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user may potentially exploit this vulnerability by using an SMI to gain arbitrary code execution in SMRAM.

7.5

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2022-32487

Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user may potentially exploit this vulnerability by using an SMI to gain arbitrary code execution in SMRAM.

7.5

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2022-32488

Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user may potentially exploit this vulnerability by using an SMI to gain arbitrary code execution in SMRAM.

8.2

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2022-32489

Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user may potentially exploit this vulnerability by using an SMI to gain arbitrary code execution in SMRAM.

8.2

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2022-32491

Dell BIOS contains a Buffer Overflow vulnerability. A local authenticated malicious user may potentially exploit this vulnerability by manipulating an SMI to cause an arbitrary write during SMM.

4.1

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N

CVE-2022-32493

Dell BIOS contains a Stack-Based Buffer Overflow vulnerability. A local authenticated malicious user may potentially exploit this vulnerability by using an SMI to gain arbitrary code execution in SMRAM.

6.0

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

  

Dell Technologies suosittelee, että kaikki asiakkaat ottavat huomioon sekä CVSS-peruspistemäärän että kaikki asiaankuuluvat väliaikaiset ja ympäristöön liittyvät pisteet, jotka voivat vaikuttaa tietyn tietoturvahaavoittuvuuden mahdolliseen vakavuuteen.

**Tuotteet, joihin asia vaikuttaa ja tilanteen korjaaminen**

See the table below for Dell Client BIOS releases containing resolutions to these vulnerabilities. Dell recommends all customers update at the earliest opportunity.

Go to the Drivers and Downloads site for updates on the applicable products. To learn more, see Dell KB article Dell BIOS Updates, and download the update for your Dell computer.

Customers may use one of the Dell notification solutions to be notified and download driver, BIOS, and firmware updates automatically once available.

See the table below for Dell Client BIOS releases containing resolutions to these vulnerabilities. Dell recommends all customers update at the earliest opportunity.

Go to the Drivers and Downloads site for updates on the applicable products. To learn more, see Dell KB article Dell BIOS Updates, and download the update for your Dell computer.

Customers may use one of the Dell notification solutions to be notified and download driver, BIOS, and firmware updates automatically once available.

**Keinoja ongelman kiertämiseen tai lieventämiseen**

None

**Kiitokset**

Dell Technologies would like to thank yngweijw for reporting CVE-2022-32483, CVE-2022-32484, CVE-2022-32485, CVE-2022-32487, CVE-2022-32488, CVE-2022-32489, CVE-2022-32491, and CVE-2022-32493.

**Versiohistoria**

**Revision**

**Date**

**Description**

1.0

2022/09/29

Initial Release

**Asiaan liittyvät tiedot**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

**Lisätietoja**

**Product**

**BIOS Update Version**

**BIOS Release Date (MM/DD/YYYY)**

Alienware Area 51m R1

1.21.0

08/08/2022

Alienware Area 51m R2

1.18.0

08/08/2022

Alienware Aurora R10

2.3.1

08/08/2022

Alienware Aurora R11

1.0.16

08/02/2022

Alienware Aurora R12

1.1.16

07/28/2022

Alienware Aurora R13

1.5.0

08/09/2022

Alienware Aurora R8

1.0.23

08/03/2022

Alienware Aurora R9

1.0.20

08/03/2022

Alienware m15 R1

2.14.0

08/09/2022

Alienware m15 R2

1.17.0

08/08/2022

Alienware m15 R3

1.19.0

08/08/2022

Alienware m15 R4

1.13.0

08/08/2022

Alienware m17 R1

2.14.0

08/09/2022

Alienware m17 R2

1.17.0

08/08/2022

Alienware m17 R3

1.19.0

08/08/2022

Alienware m17 R4

1.13.0

08/08/2022

Alienware x14

1.5.0

08/19/2022

Alienware x15 R1

1.11.0

08/08/2022

Alienware x15 R2

1.7.0

08/29/2022

Alienware x17 R1

1.11.0

08/08/2022

Alienware x17 R2

1.7.0

08/29/2022

Aurora R14

2.3.0

08/08/2022

ChengMing 3980

2.24.0

08/09/2022

ChengMing 3988

1.11.0

08/08/2022

ChengMing 3990

1.14.0

08/10/2022

ChengMing 3991

1.14.0

08/10/2022

Dell G3 15 3590

1.18.0

08/09/2022

Dell G3 3579

1.22.0

08/16/2022

Dell G3 3779

1.22.0

08/16/2022

Dell G5 15 5590

1.20.0

08/09/2022

Dell G5 5000

1.10.0

08/08/2022

Dell G5 5090

1.15.0

08/10/2022

Dell G7 17 7590

1.20.0

08/09/2022

Dell G7 17 7790

1.20.0

08/09/2022

Dell Latitude 3480

1.21.0

08/16/2022

Dell Latitude 3580

1.21.0

08/16/2022

Edge Gateway 3000 series

1.9.0

08/09/2022

Edge Gateway 5000

1.19.0

08/09/2022

Embedded Box PC 3000

1.15.0

08/08/2022

Embedded Box PC 5000

1.16.0

08/09/2022

Inspiron 14 3467

2.20.0

08/11/2022

Inspiron 15 3567

2.20.0

08/11/2022

Inspiron 15 5582 2-in-1

2.16.0

08/23/2022

Inspiron 3277

1.21.0

08/09/2022

Inspiron 3280

1.16.0

08/09/2022

Inspiron 3470

2.24.0

08/09/2022

Inspiron 3471

1.11.0

08/08/2022

Inspiron 3477

1.21.0

08/09/2022

Inspiron 3480

1.20.0

08/08/2022

Inspiron 3480

1.16.0

08/09/2022

Inspiron 3481

1.18.0

08/08/2022

Inspiron 3482

1.15.0

08/08/2022

Inspiron 3490

1.20.0

08/08/2022

Inspiron 3493

1.23.0

08/08/2022

Inspiron 3501

1.17.0

08/08/2022

Inspiron 3502

1.9.0

08/08/2022

Inspiron 3580

1.20.0

08/08/2022

Inspiron 3580

1.20.0

08/08/2022

Inspiron 3581

1.18.0

08/08/2022

Inspiron 3581

1.18.0

08/08/2022

Inspiron 3582

1.15.0

08/08/2022

Inspiron 3590

1.20.0

08/08/2022

Inspiron 3593

1.23.0

08/08/2022

Inspiron 3670

2.24.0

08/09/2022

Inspiron 3671

1.11.0

08/08/2022

Inspiron 3780

1.20.0

08/08/2022

Inspiron 3781

1.18.0

08/08/2022

Inspiron 3782

1.15.0

08/08/2022

Inspiron 3790

1.20.0

08/08/2022

Inspiron 3793

1.23.0

08/08/2022

Inspiron 3880

1.14.0

08/10/2022

Inspiron 3881

1.14.0

08/10/2022

Inspiron 5390

1.18.0

08/05/2022

Inspiron 5391

1.19.0

08/09/2022

Inspiron 5400

1.13.0

08/02/2022

Inspiron 5401 All-In-One

1.13.0

08/02/2022

Inspiron 5477

1.2.20

08/08/2022

Inspiron 5480

2.16.0

08/23/2022

Inspiron 5481 2-in-1

2.16.0

08/23/2022

Inspiron 5482

2.16.0

08/23/2022

Inspiron 5490

1.20.0

08/08/2022

Inspiron 5490 All-In-One

1.16.0

08/09/2022

Inspiron 5491 2-in-1

1.16.0

08/04/2022

Inspiron 5493

1.23.0

08/08/2022

Inspiron 5494

1.20.0

08/08/2022

Inspiron 5498

1.20.0

08/08/2022

Inspiron 5570

1.10.0

08/10/2022

Inspiron 5580

2.16.0

08/23/2022

Inspiron 5583

1.20.0

08/04/2022

Inspiron 5584

1.20.0

08/04/2022

Inspiron 5590

1.20.0

08/08/2022

Inspiron 5591 2-in-1

1.16.0

08/04/2022

Inspiron 5593

1.23.0

08/08/2022

Inspiron 5594

1.20.0

08/08/2022

Inspiron 5598

1.20.0

08/08/2022

Inspiron 5680

2.12.0

08/10/2022

Inspiron 5770

1.10.0

08/10/2022

Inspiron 7000

1.19.0

08/09/2022

Inspiron 7370

1.25.0

08/11/2022

Inspiron 7373 2-in-1

1.25.0

08/11/2022

Inspiron 7380

1.18.0

08/08/2022

Inspiron 7386

1.16.0

08/09/2022

Inspiron 7390

1.19.0

08/04/2022

Inspiron 7391

1.17.0

08/04/2022

Inspiron 7490

1.15.0

08/08/2022

Inspiron 7570

1.25.0

08/11/2022

Inspiron 7573 2-in-1

1.25.0

08/11/2022

Inspiron 7580

1.18.0

08/08/2022

Inspiron 7586

1.16.0

08/09/2022

Inspiron 7590

1.19.0

08/04/2022

Inspiron 7590

1.15.0

08/09/2022

Inspiron 7591

1.17.0

08/04/2022

Inspiron 7591

1.15.0

08/09/2022

Inspiron 7700 AIO

1.13.0

08/02/2022

Inspiron 7777

1.2.20

08/08/2022

Inspiron 7786

1.16.0

08/09/2022

Inspiron 7790

1.16.0

08/09/2022

Inspiron 7791

1.17.0

08/04/2022

Inspiron 5491 All-In-One

1.16.0

08/09/2022

Latitude 13 3380

1.19.0

08/16/2022

Latitude 3120

1.10.0

08/10/2022

Latitude 3180

1.19.0

08/15/2022

Latitude 3189

1.19.0

08/15/2022

Latitude 3190

1.22.0

08/15/2022

Latitude 3190 2-in-1

1.22.0

08/15/2022

Latitude 3300

1.17.0

08/18/2022

Latitude 3301

1.23.0

08/05/2022

Latitude 3310

1.16.0

08/10/2022

Latitude 3310 2-in-1

1.15.0

08/18/2022

Latitude 3379

1.0.36

08/16/2022

Latitude 3390

1.21.0

08/18/2022

Latitude 3400

1.25.0

08/04/2022

Latitude 3490

1.20.0

08/11/2022

Latitude 3500

1.25.0

08/04/2022

Latitude 3590

1.20.0

08/11/2022

Latitude 5280

1.26.0

08/12/2022

Latitude 5285 2-in-1

1.19.0

08/12/2022

Latitude 5289

1.29.0

08/15/2022

Latitude 5290

1.24.0

08/12/2022

Latitude 5290 2-in-1

1.22.0

08/25/2022

Latitude 5300

1.23.0

08/21/2022

Latitude 5300 2-in-1

1.23.0

08/21/2022

Latitude 5310

1.15.0

08/09/2022

Latitude 5310 2-in-1

1.15.0

08/09/2022

Latitude 5400

1.19.0

08/12/2022

Latitude 5401

1.21.0

08/12/2022

Latitude 5410

1.15.0

08/11/2022

Latitude 5411

1.15.0

08/11/2022

Latitude 5414 Rugged

1.36.0

08/16/2022

Latitude 5420 Rugged

1.18.0

08/16/2022

Latitude 5424 Rugged

1.18.0

08/16/2022

Latitude 5480

1.26.0

08/12/2022

Latitude 5488

1.26.0

08/12/2022

Latitude 5490

1.24.0

08/12/2022

Latitude 5491

1.23.0

08/12/2022

Latitude 5495

1.9.0

08/16/2022

Latitude 5500

1.19.0

08/12/2022

Latitude 5501

1.21.0

08/12/2022

Latitude 5510

1.15.0

08/11/2022

Latitude 5511

1.15.0

08/11/2022

Latitude 5580

1.26.0

08/12/2022

Latitude 5590

1.24.0

08/12/2022

Latitude 5591

1.23.0

08/12/2022

Latitude 7200 2-in-1

1.19.0

08/09/2022

Latitude 7210 2-in-1

1.16.0

08/22/2022

Latitude 7212 Rugged Extreme Tablet

1.40.0

08/16/2022

Latitude 7214 Rugged Extreme

1.36.0

08/16/2022

Latitude 7220 Rugged Extreme Tablet

1.23.0

08/16/2022

Latitude 7220EX Rugged Extreme Tablet

1.23.0

08/16/2022

Latitude 7275 2-in-1

1.16.0

08/15/2022

Latitude 7280

1.27.0

08/15/2022

Latitude 7285 2-in-1

1.17.0

08/12/2022

Latitude 7290

1.27.0

08/16/2022

Latitude 7300

1.21.0

08/10/2022

Latitude 7310

1.17.0

08/10/2022

Latitude 7370

1.30.3

08/16/2022

Latitude 7380

1.27.0

08/15/2022

Latitude 7389

1.29.0

08/15/2022

Latitude 7390

1.27.0

08/16/2022

Latitude 7390 2-in-1

1.26.0

08/12/2022

Latitude 7400

1.21.0

08/10/2022

Latitude 7400 2-in-1

1.18.0

08/09/2022

Latitude 7410

1.17.0

08/10/2022

Latitude 7414 Rugged Extreme

1.36.0

08/16/2022

Latitude 7424 Rugged Extreme

1.18.0

08/16/2022

Latitude 7480

1.27.0

08/15/2022

Latitude 7490

1.27.0

08/16/2022

Latitude 9410

1.16.0

08/10/2022

Latitude 9510

1.14.0

08/09/2022

Latitude E5270

1.32.3

08/12/2022

Latitude E5470

1.32.3

08/12/2022

Latitude E5570

1.32.3

08/12/2022

Latitude E7270

1.35.3

08/15/2022

Latitude E7470

1.35.3

08/15/2022

OptiPlex 3050

1.21.0

08/09/2022

OptiPlex 3040

1.20.1

08/09/2022

OptiPlex 3046

1.17.0

08/09/2022

OptiPlex 3050 All-In-One

1.22.0

08/08/2022

OptiPlex 3060

1.21.0

08/09/2022

OptiPlex 3070

1.16.0

08/09/2022

OptiPlex 3080

2.14.0

08/10/2022

OptiPlex 3090

2.7.0

08/10/2022

OptiPlex 3280 All-In-One

1.15.0

08/08/2022

OptiPlex 5050

1.21.0

08/11/2022

OptiPlex 5055 A-Series

1.7.0

09/07/2022

OptiPlex 5055 Ryzen APU

1.7.0

09/07/2022

OptiPlex 5055 Ryzen CPU

1.7.0

09/07/2022

OptiPlex 5060

1.21.0

08/09/2022

OptiPlex 5070

1.16.0

08/09/2022

OptiPlex 5080

1.14.0

08/10/2022

OptiPlex 5250

1.22.0

08/08/2022

OptiPlex 5260 All-In-One

1.21.0

08/08/2022

OptiPlex 5480 All-In-One

1.16.0

08/08/2022

OptiPlex 7040

1.24.0

08/09/2022

OptiPlex 7050

1.21.0

08/09/2022

OptiPlex 7060

1.21.0

08/09/2022

OptiPlex 7070

1.16.0

08/09/2022

OptiPlex 7070 Ultra

1.14.0

08/09/2022

OptiPlex 7071

1.15.0

08/09/2022

OptiPlex 7080

1.14.0

08/09/2022

OptiPlex 7450

1.22.0

08/08/2022

OptiPlex 7460 All-In-One

1.21.0

08/08/2022

OptiPlex 7470 All-In-One

1.16.0

08/08/2022

OptiPlex 7480 All-In-One

1.16.0

08/08/2022

OptiPlex 7760 All-In-One

1.21.0

08/08/2022

OptiPlex 7770 All-In-One

1.16.0

08/08/2022

OptiPlex 7780 All-In-One

1.16.0

08/08/2022

OptiPlex XE3

1.21.0

08/09/2022

Precision 3240 Compact

1.13.0

08/11/2022

Precision 3420 Tower

2.22.0

08/08/2022

Precision 3430 Tower

1.20.0

08/09/2022

Precision 3431 Tower

1.15.0

08/09/2022

Precision 3440

1.14.0

08/09/2022

Precision 3510

1.32.3

08/12/2022

Precision 3520

1.26.0

08/12/2022

Precision 3530

1.23.0

08/12/2022

Precision 3540

1.19.0

08/12/2022

Precision 3541

1.21.0

08/12/2022

Precision 3550

1.15.0

08/11/2022

Precision 3551

1.15.0

08/11/2022

Precision 3620 Tower

2.22.0

08/08/2022

Precision 3630 Tower

2.15.0

08/08/2022

Precision 3640 Tower

1.16.0

08/16/2022

Precision 3930 Rack

2.20.0

08/10/2022

Precision 5510

1.23.0

08/11/2022

Precision 5530

1.26.0

08/09/2022

Precision 5530 2-in-1

1.20.8

08/09/2022

Precision 5540

1.18.0

08/09/2022

Precision 5720 All-In-One

2.15.0

08/09/2022

Precision 5820 Tower

2.21.0

08/10/2022

Precision 7510

1.28.3

08/12/2022

Precision 7520

1.26.0

08/12/2022

Precision 7530

1.24.0

08/12/2022

Precision 7540

1.21.0

08/10/2022

Precision 7550

1.17.0

08/09/2022

Precision 7710

1.28.3

08/12/2022

Precision 7720

1.26.0

08/12/2022

Precision 7730

1.24.0

08/12/2022

Precision 7740

1.21.0

08/10/2022

Precision 7750

1.17.0

08/09/2022

Precision 7820 Tower

2.26.1

09/07/2022

Precision 7920 Tower

2.26.1

09/07/2022

Vostro 3070

2.24.0

08/09/2022

Vostro 3267

1.22.0

08/10/2022

Vostro 3268

1.22.0

08/10/2022

Vostro 3401

1.17.0

08/08/2022

Vostro 3470

2.24.0

08/09/2022

Vostro 3471

1.11.0

08/08/2022

Vostro 3480

1.20.0

08/08/2022

Vostro 3481

1.18.0

08/08/2022

Vostro 3490

1.20.0

08/08/2022

Vostro 3501

1.17.0

08/08/2022

Vostro 3580

1.20.0

08/08/2022

Vostro 3581

1.18.0

08/08/2022

Vostro 3582

1.15.0

08/08/2022

Vostro 3583

1.20.0

08/08/2022

Vostro 3584

1.18.0

08/08/2022

Vostro 3590

1.20.0

08/08/2022

Vostro 3667

1.22.0

08/10/2022

Vostro 3668

1.22.0

08/10/2022

Vostro 3669

1.22.0

08/10/2022

Vostro 3670

2.24.0

08/09/2022

Vostro 3671

1.11.0

08/08/2022

Vostro 3681

2.14.0

08/10/2022

Vostro 3881

2.14.0

08/10/2022

Vostro 3888

2.14.0

08/10/2022

Vostro 5090

1.15.0

08/09/2022

Vostro 5390

1.18.0

08/05/2022

Vostro 5391

1.19.0

08/09/2022

Vostro 5481

2.16.0

08/23/2022

Vostro 5490

1.20.0

08/08/2022

Vostro 5491

1.23.0

08/08/2022

Vostro 5581

2.16.0

08/23/2022

Vostro 5590

1.20.0

08/08/2022

Vostro 5591

1.23.0

08/08/2022

Vostro 5880

1.14.0

08/09/2022

Vostro 7590

1.15.0

08/09/2022

Wyse 5070

1.18.0

08/10/2022

Wyse 5470

1.15.0

08/16/2022

Wyse 5470 All-In-One

1.16.1

08/26/2022

Wyse 7040 Thin Client

1.17.0

08/08/2022

XPS 13 7390

1.17.0

08/09/2022

XPS 13 7390 2-in-1

1.18.0

08/09/2022

XPS 13 9300

1.14.0

08/09/2022

XPS 13 9365 2-in-1

2.23.0

08/25/2022

XPS 13 9370

1.21.0

08/24/2022

XPS 13 9380

1.20.0

08/09/2022

XPS 15 7590

1.26.0

08/09/2022

XPS 15 9575 2-in-1

1.22.0

08/09/2022

XPS 7590

1.18.0

08/09/2022

XPS 8930

1.1.24

08/03/2022

XPS 8940

2.9.0

08/08/2022

XPS 8950

1.5.0

08/08/2022

Alienware 15 R2, Alienware 17, Alienware Area-51m, Alienware 17 R4, Alienware 17 R2, Alienware 17 R3, Alienware Area 51, Alienware Aurora, Alienware Aurora R11, Alienware Aurora R12, Alienware Aurora R13, Alienware m17 R2, Alienware m17 R3Näytä lisää

29 syysk. 2022

CVE-2022-32483: DSA-2022-248: Dell Client BIOS Security Update

Categories: Exploits and vulnerabilities
Categories: News
Tags: Microsoft

Tags:  Apple

Tags:  Google

Tags:  Android

Tags:  Samsung

Tags:  Xiaomi

Tags:  Adobe

Tags:  SAP

Tags:  VMWare

Tags:  Fortinet

Tags:  CVE-2022-41033

Tags:  CVE-2022-41040

Tags:  zero-day

No fix for ProxyNotShell



(Read more...)




The post Update now! October patch Tuesday fixes actively used zero-day...but not the one you expected appeared first on Malwarebytes Labs.

Microsoft fixed 84 vulnerabilities in its October 2022 Patch Tuesday updates. Thirteen of them received the classification 'Critical'. Among them are a zero-day vulnerability that's being actively exploited, and another that hasn’t been spotted in the wild yet.

The bad news is that the much-desired fix for the "ProxyNotShell" Exchange vulnerabilities was not included.

**What was fixed**

A widely accepted definition for a zero-day is a computer-software vulnerability previously unknown to those who should be interested in its mitigation, such as the software vendor. Until the vulnerability is mitigated, hackers can exploit it to adversely affect programs, data, computers or a network.

As such, a publicly known vulnerability is called a zero-day even if there is no known actively used exploitation for it.

The actively exploited vulnerability in this month's batch is CVE-2022-41033, a vulnerability with a CVSS score of 7.8 out of 10. This is described as a 'Windows COM+ Event System Service Elevation of Privileges (EoP)’ vulnerability, which gives an attacker the potential to obtain SYSTEM privileges after successful exploitation.

This type of vulnerability usually comes into play once an attacker has gained an initial foothold on a system. They can then use this vulnerability to gain more permissions and expand their access to the compromised system.

Another publicly disclosed vulnerability that gets a fix is CVE-2022-41043, a Microsoft Office Information Disclosure vulnerability. Affected products are Microsoft Office LTSC for Mac 2021 and Microsoft Office 2019 for Mac. Microsoft says attackers could use this vulnerability to gain access to users' authentication tokens.

**What wasn’t fixed**

The Exchange Server "ProxyNotShell" vulnerabilities, CVE-2022-41040 and CVE-2022-41082, were not fixed in this round of updates. One is a Server-Side Request Forgery (SSRF) vulnerability and the other a remote code execution (RCE) vulnerability that exists when PowerShell is accessible to the attacker. The two can be chained together into an attack.

Microsoft says it will release updates for these vulnerabilities when they are ready. In the meantime, you should read this blog post to learn about mitigations for those vulnerabilities.

**Other vendors**

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones:

*   Adobe released security updates to fix 29 vulnerabilities in several products.
*   Apple published iOS 16.0.3.
*   Fortinet released important security updates.
*   Google patched several vulnerabilities for Android.
*   Samsung has started rolling out October 2022 security updates for some of its devices.
*   SAP has released updates for several of its products.
*   VMware published security advisory VMSA-2022-0025.
*   Xiaomi released the October 2022 Security Patch Update tracker.

That should be enough to keep you busy, et patching!

Update now! October patch Tuesday fixes actively used zero-day...but not the one you expected

Identity governance administration (IGA) started life as a tool for organizations to meet a sudden surge of legal and regulatory requirements, but﻿ it has grown into a key enabler of security.

Omdia recently published a Market Radar on identity governance administration (IGA), in which we compared a number of the leading vendors in this sector. Let's look at some of the key takeaways from this report.

**IGA Is Modernizing to Adapt to Today's Environment**

IGA started life in the early 2000s as a tool for organizations to meet a sudden surge of legal and regulatory requirements. In other words, its initial purpose was compliance. However, as with another technology that came into existence for that purpose — security information and event management (SIEM) — it has grown into a key enabler of security as well. That's particularly notable now that the COVID-19 pandemic has turbocharged the digital transformation programs that were already underway, in a more cautious fashion, at most organizations.

**Atomization of the Workforce**

There are two dimensions to the problems that IGA seeks to address in the current environment. First, there is the "atomization of the workforce," a way of describing workers dispersing to home offices and remote sites, collaborating with contractors, suppliers, and partners as much as with colleagues and fellow employees. This is a process that was already underway long before the pandemic, but which was given new impetus by COVID. It is driven by business process outsourcing (BPO), the increasing ease of mobile computing, and, more broadly, by the changing work-life balance priorities of new generations entering work. In this context, COVID-19 merely accelerated the process, driving millions of knowledge workers around the world to work from home on a full-time basis. While some of them are returning to the office now, that return is frequently only partial, and flexible work is very much the spirit of the age.

In this environment, there is a shift in priorities to:

*   The ability to bring new employees into the workforce quickly, i.e. rapid onboarding.
*   The provision of the appropriate hardware, software, and, critically, services that they require to do their jobs.
*   The ability to keep up with the changes in their working practices as they move through the organization.

**Cloudification**

The second dimension is the cloudification of application infrastructures. Enterprise applications were already moving to the cloud long before the pandemic, to be delivered as a service. However, the impact of the pandemic was, again, to turbocharge that process. Applications used by employees and partners now needed to be in the cloud for ease of remote access, while apps for the consumer also rushed to the cloud, as online channels became the sole points of interaction with customers for many businesses. While IGA is not primarily designed to address the B2C identity requirement, it does deliver life-cycle management and entitlement control for the identities of developers, whose role became more critical as the pandemic accelerated digital transformation projects.

This backdrop explains the importance that Omdia attributes to the cloud, not only as a locus from which to deliver IGA, but also as the place where an increasing number of corporate assets now reside, which puts a new level of requirement of entitlements management.

**Where Is the IGA Market Heading?**

IGA has needed to evolve and modernize in recent years, and the pandemic has accelerated this process. Traditional IGA products/solutions were built to address user provisioning through the complex integration and systematic application of heavily engineered, role-based access control (RBAC) structures. Having cloud-based IGA products that offer APIs can be readily consumed and make connectivity easier to integrate.

IGA vendors need to adapt and evolve their products and services to better fit the current business environment. This involves the cloudification of their IGA products and launching new features such as APIs into their portfolios. IGA technology needs to move into the cloud, an inflection point that should bring with it opportunities for service providers. While large enterprises have traditionally onboarded and managed their employee identities themselves, that activity may have become cumbersome if they grow through M&A, while the B2B aspect can be even more challenging to a global multinational corporation. Service providers that can handle identity federation should scope out business opportunities in this context. Having a cloud-based approach will be critical in enabling IGA to work seamlessly with other services and simplifying the evolution to a future-proof IT security infrastructure.

Key Takeaways From Omdia's IGA Market Radar

Google on Wednesday officially rolled out support for passkeys, the next-generation authentication standard, to both Android and Chrome.
"Passkeys are a significantly safer replacement for passwords and other phishable authentication factors," the tech giant said. "They cannot be reused, don't leak in server breaches, and protect users from phishing attacks."

The feature was first

Google on Wednesday officially rolled out support for passkeys, the next-generation authentication standard, to both Android and Chrome.

"Passkeys are a significantly safer replacement for passwords and other phishable authentication factors," the tech giant said. "They cannot be reused, don't leak in server breaches, and protect users from phishing attacks."

The feature was first announced in May 2022 as part of a broader push to support a common passwordless sign-in standard.

Passkeys, established by the FIDO Alliance and also backed by Apple and Microsoft, aim to replace standard passwords with unique digital keys that are stored locally on the device.

To that end, creating a passkey requires confirmation from the end-user about the account that will be used to log in to the online service, followed by using their biometric information or the device passcode.

Signing in to a website on a mobile device is also a simple two-step process that entails selecting the account and presenting their fingerprint, face, or screen lock when prompted.

The most compelling advantage to Passkeys is that they are also browser and operating system-agnostic, meaning an Android user can log in to a passkey-enabled website using Safari on iOS or macOS, or the Chrome browser on Windows.

Google also noted that the generated passkeys are securely stored and synced to the cloud via its Password Manager to prevent lockouts, adding developers can integrate passkey support on their sites using the WebAuthn API.

The internet giant further said that it aims to release an API for native Android apps in 2022 that will give users a standardized way to select either a passkey or a saved password.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Google Rolling Out Passkey Passwordless Login Support to Android and Chrome

Protecting against data breaches requires detailed analysis of recent attacks for remediation and prevention.

Data continues to drive enterprise business needs and processes, spurring the need for a rapidly growing number of data stores in which to house it all. Data's inherent value and impact on business operations have made it a prime target for cybercriminals. This has led to a sharp rise in data breaches that have disrupted business continuity and compromised the security and compliance posture of enterprises globally. In these breaches, attackers are commonly exploiting blind spots and misconfigurations.

Protecting against data breaches requires detailed and close analysis of recent attacks for remediation steps and preventative measures. Issues common to recent cloud data breaches include:

**1\. Data Leakage Through Compliance Boundaries**

A hard lesson from the past decade is that there's no going back once data goes outside of the organizational control plane and often to public repositories. For this reason, security owners are responsible for keeping tabs on any possibility of exposure, assessing fallout when exposure occurs, and acting accordingly.

Data leakage is more common than one would think and is not limited to enterprises with smaller security budgets. For example, Nestle's sensitive data was briefly exposed to the world from its internal network before surfacing a few months later in an alleged cyberattack by Anonymous.

**2\. Publicly Exposed Buckets**

Data is an asset and should be protected as such, whether it be a backup, audit record, or arbitrary file. Access should be based on the principle of least privilege, and any deviation should be identified, monitored, and alerted upon.

This was not the case for some organizations using public cloud data stores such as Amazon S3 buckets and Microsoft Azure Blobs. Four airports in Colombia and Peru, for example, had an S3 bucket — containing 3TB of data on employees — that was publicly accessible and did not require authentication.  

Meanwhile, Turkish airline company Pegasus had an S3 Bucket without password protection, exposing roughly 6.5TB of data that included personally identifiable crew information, flight charts, and secrets from the airline's EFB (Electronic Flight Bag) system.

Doctors Me, an online Japanese medical consultation site, experienced something similar. The service stored patient images, uploaded by customers, in an S3 bucket without proper access authorization and authentication controls, exposing the sensitive data of nearly 12,000 people.

**3\. Database Misconfigurations**

In their most basic function, databases are protected internal components that hold various records or documents. They are typically encapsulated behind an application or a service that facilitates access to data according to predetermined business logic. As such, databases have the potential to enforce strict access controls and to limit network access, ensuring that only service accounts or authorized personnel can directly reach them.

Databases exposed to the Internet, especially with weak authentication, are low-hanging fruit for bad actors who are constantly scanning for exposed services. This was the case for a popular Iranian chat application called Raychat, where a simple bot detected a misconfigured instance of the service's MongoDB database. All the attackers had to do was clone the database's content, wipe the database, and leave behind a note asking for a hefty ransom.

**4\. Missing Encryption**

Encryption is one of the top three industry best practices for data protection, but it cannot be considered a full security suite, as data protection is built in layers. When one layer is breached, it's up to the next to hold the line. We see this reflected in risk assessments and audit submissions, where each component, especially missing fundamental layer like encryption, changes the risk score of many other components that make up the entire environment. With common issues like false reporting and missing encryption, how can security owners reliably qualify and test the entirety of their known and unknown environment with assumptions and semi-reliable information?

The Department of Education in New York City struggled with this question when an online grading and attendance system was breached. Roughly 820,000 biographic records of current and former public-school students were stored without proper encryption, allowing the adversary to easily compromise and extract those.

**How Can Organizations Avoid These Mistakes?**

1\. Take ownership of your data: 

*   Identify sensitive and "need to be protected" assets with periodic scans of your environment to discover any unknowns and surprises, such as new data stores and network policies. 
*   Classify and evaluate any solution within your stack that you own or consume. 

2\. Improve your data security posture: 

*   Assess data stores against industry best practice and compliance standards. 
*   Incorporate data security into your organizational DNA by creating dedicated owners, allocating resources for long-term projects, and establishing incident handling procedures. 

3\. Control your data: 

*   Scope and periodically approve the target audience ensuring that only they can access it via both network policies and RBAC. 
*   Implement a "second set of eyes" methodology when it comes to data replication, export, creation, or deletion. 

4\. Observe and triage anomalous activities: 

*   Monitor activities against sensitive data and configuration changes around classified data stores. 
*   Create an alerting and triage mechanism for abnormal business scenarios.

Cloud Data Breaches Are Running Rampant. What Are the Common Characteristics?

InterVision releases a new website focused on the customer experience, making B2B cybersecurity purchasing decisions easier.

**SAN JOSE, Calif. and ST. LOUIS, Oct. 12, 2022 /PRNewswire/** — InterVision, a leading information technology (IT) strategic service provider, announced today a corporate rebrand along with key findings from its Pulse study. Study results revealed that nearly half of all business leaders identify ransomware as the top threat to business operations. These announcements highlight the importance of doubling down on strategic cybersecurity measures.

The study ("Solving for Ransomware Threats: Insights Into Current Leadership Actions") shares insights from 100 IT leaders on ransomware's impact on business security. Surveyed IT leaders reported ransomware as one of the biggest threats to tech-related business in North America, with 45% citing ransomware as their top concern overall. The study also found that most organizations focus on ransomware attack recovery (46%) as opposed to prevention (21%). As a result, many IT systems cannot detect threats before they become critical to the organization. But when presented with the idea of Ransomware Protection as a Service (RPaaS), 90% of respondents were interested in the comprehensive strategy.

"With so many high-profile ransomware attacks over the past couple of years, organizations are starting to understand the urgency of implementing a ransomware protection strategy," said Allen Jenkins, CISO and VP of Cybersecurity Consulting at InterVision. "Respondents overwhelmingly identified the need to improve IT processes and technology. Creating the right bundle with Ransomware Protection as a Service (RPaaS) ensures multiple layers of protection and is a powerful step in the process of ransomware prevention."

InterVision's rebrand puts customer experience at the center of its website, making B2B cybersecurity purchasing decisions easier.

"Commitment to the customer experience has always set InterVision apart. Our suite of business continuity and disaster recovery services is best-in-class, and we prioritize customer service through 24/7 response offerings. Now, with an updated website, the customer experience is front and center from the beginning to the end of their engagement with InterVision," said Kathleen Amro, Vice President of Marketing at InterVision.

InterVision's refreshed website and brand also reflects the quality of the company's offerings — including RPaaS, which 90% of Pulse survey respondents reported interest in.

"With organizations facing the challenge of an ever-evolving threat landscape and global security talent shortage, InterVision's RPaaS will not only provide their customers with world-class protection but also the peace of mind that comes along with it," said Will Briggs, senior vice president of global channels, Arctic Wolf. "InterVision and Arctic Wolf both share a commitment to delivering positive security outcomes, and we are proud of how our security operations solutions play a key role in protecting and delighting our shared customers."

To view the full study, visit https://intervision.com/blog-solving-for-ransomware-threats/. For more information about InterVision offerings or to navigate the refreshed website, visit https://intervision.com/.

**About InterVision Systems  
**InterVision is the leading strategic services provider, delivering and supporting complex IT solutions for mid-to-enterprise and public sector organizations throughout the US. With more than 25 years of experience, coupled with one of the most comprehensive product portfolios of managed IT service offerings available, the company is uniquely positioned to guide clients through any stage of their technology journeys. InterVision drives business outcomes with an unparalleled focus on the customer experience to help organizations be more competitive, compliant, and secure. The company has headquarters in San Jose, CA, St. Louis, MO, and Richmond, Va. To learn more, visit www.intervision.com.

**SOURCE:** InterVision

InterVision Announces Study Identifying Ransomware as No. 1 Threat to Business Longevity

SAP Customer Data Cloud (Gigya mobile app for Android) - version 7.4, uses encryption method which lacks proper diffusion and does not hide the patterns well. This can lead to information disclosure. In certain scenarios, application might also be susceptible to replay attacks.

CVE-2022-41209

Cross-Site Request Forgery (CSRF) vulnerability in Cozmoslabs Profile Builder plugin <= 3.6.0 at WordPress allows uploading the JSON file and updating the options. Requires Import and Export add-on.

CVE-2021-36915: Profile Builder – User Profile & User Registration Forms

Authenticated (admin+) Reflected Cross-Site Scripting (XSS) vulnerability in Gabe Livan's Asset CleanUp: Page Speed Booster plugin <= 1.3.8.4 at WordPress.

CVE-2021-36899: Asset CleanUp: Page Speed Booster

Exposed code included private key for Intel Boot Guard, meaning it can no longer be trusted, according to a researcher.

Intel has confirmed the leak of the Unified Extensible Firmware Interface (UEFI) BIOS of Alder Lake, the company's code name for its latest processor — the 12th generation Intel Core processor — which debuted in late 2021. 

According to reports, the Intel UEFI code was first leaked late last week on 4chan, and later GitHub, and it contained 5.97GB of data. It was dated 9-30-22, likely when it was exfiltrated, analysts reported. "In addition, one thing should be noted that the key pairs required by Boot Guard during provisioning stage is also included in the leaked content," researchers from Hardened Vault who analyzed the leaked data explained. 

Researcher Mark Ermolov noted the same thing on Twitter on Oct. 8, adding, "... the Intel Boot Guard on the vendor's platforms can no longer be trusted." 

The researchers at Hardened Vault pointed out the code could be particularly useful for malicious actors who want to reverse engineer the code to find vulnerabilities. 

In a statement provided to Security Week, Intel acknowledged the breach, attributing it to a third-party and downplaying its potential security risk. "Intel does not believe this exposes, or creates, any new security vulnerabilities as we do not rely on obfuscation of information as a security measure," Intel said in a statement. "We are reaching out to customers, partners and the security research community to keep them informed of this situation." 

The Hardened Vault team said it hasn't been able to trace the data back to the leaker but suggested that the developer of the firmware solution, Insyde, might have more information to share. "But it is still impossible to confirm the person who leaked it," the team wrote. "The leak is part of Insyde solution which integrate Intel’s resources. Perhaps Insyde knows more than we do."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Tag

#ios