CVE-2022-21794

Vulnerability

An improper authentication vulnerability exists in the BIOS firmware of certain Intel NUC Boards, NUC Business, NUC Enthusiast, and NUC Kits prior to version HN0067 [1]. The flaw resides in the firmware's authentication mechanism, which can be bypassed by a local user with existing privileged access to the system.

Exploitation

An attacker must have local access to the affected system and possess privileged user credentials (e.g., administrator or root). The attacker can then exploit the improper authentication to modify BIOS settings or execute code at the firmware level, bypassing intended security checks [1].

Impact

Successful exploitation allows the attacker to escalate their privileges within the firmware environment, potentially gaining persistent control over the system's boot process and bypassing higher-level operating system security controls [1]. This could lead to full compromise of the device.

Mitigation

Intel has released BIOS firmware version HN0067 to address this vulnerability. Users should update their Intel NUC systems to this version or later via the Intel Driver & Support Assistant or by downloading the firmware from the Intel support website [1]. No workarounds are available; updating is the only mitigation.