CVE-2021-33060

Vulnerability

An out-of-bounds write vulnerability exists in the BIOS firmware for some Intel(R) Processors, including certain 10th and 11th Generation Core processors, Intel Xeon processors, and related models. The vulnerability occurs in the BIOS firmware component and can be triggered by a local attacker with low privileges. The exact affected processor list is provided in Intel's security advisory (INTEL-SA-00686) [1].

Exploitation

An attacker must have authenticated access to the target system at a low-privilege (user) level. No additional user interaction is required beyond the attacker's own actions. The attacker can exploit this vulnerability by sending specially crafted inputs or requests to the BIOS firmware, causing an out-of-bounds write condition. The attack vector is local, meaning the attacker must be able to execute code on the machine, such as through a user account or malware already present on the system [1].

Impact

Successful exploitation of the out-of-bounds write allows the attacker to escalate privileges on the affected system. The attacker can potentially gain higher privileges, possibly up to system firmware level, leading to full compromise of the system's confidentiality, integrity, and availability. The vulnerability is classified with a CVSS score of 7.1, indicating a high severity [1].

Mitigation

Intel has released firmware updates to address this vulnerability. Users and system administrators should update their BIOS/UEFI firmware to the latest version provided by their system manufacturer (OEM). Intel's advisory [1] provides the fixed versions and links to OEM resources. There is no known workaround. The latest firmware versions for affected processors were released throughout 2022, with the advisory published on August 18, 2022 [1].