CVE-2022-21237

Vulnerability

An improper buffer access vulnerability exists in the firmware for some Intel(R) NUC (Next Unit of Computing) kits and mini PCs. The issue resides in the system firmware and can be triggered by a privileged user with local access. Affected products include multiple Intel NUC models; the advisory INTEL-SA-00654 [1] provides a full list of affected versions and the fixed firmware versions.

Exploitation

An attacker must have local, privileged access to the target system (e.g., administrator or kernel-level access). No network-based exploitation is described. The attacker can exploit the improper buffer access by executing specially crafted inputs or operations that trigger the firmware vulnerability, leading to a buffer handling error.

Impact

Successful exploitation allows a privileged attacker to escalate their privileges further, potentially gaining higher-level system control or bypassing security mechanisms within the firmware or operating system. The impact is limited to privilege escalation (elevation of privilege) with a high severity rating (CVSS v3 base score 8.2 High) as per Intel's advisory [1].

Mitigation

Intel has released firmware updates to address this vulnerability. Users should update the BIOS/firmware on affected Intel NUC devices to the versions specified in INTEL-SA-00654 [1]. No workarounds are provided; the fix is the only mitigation. If a device is end-of-life (EOL), Intel recommends replacing it. The advisory was published on 2022-05-10.