CVE-2022-26124

Vulnerability

CVE-2022-26124 is an improper buffer restrictions vulnerability in the BIOS firmware for specific Intel NUC products, including Intel(R) NUC Boards, Intel(R) NUC 8 Boards, Intel(R) NUC 8 Rugged Boards, and Intel(R) NUC 8 Rugged Kits. The affected firmware versions are those prior to version CHAPLCEL.0059. The flaw exists due to insufficient boundary checks in BIOS code, which can be exploited by a local attacker with privileged access to the system [1].

Exploitation

To exploit this vulnerability, an attacker must have privileged user access to the affected Intel NUC system. The attack vector is local, meaning the attacker needs physical or remote console access with elevated privileges (e.g., root or Administrator). The attacker can then craft data or modify BIOS settings in a manner that triggers the buffer restriction weakness, potentially leading to improper memory operations [1].

Impact

Successful exploitation of this vulnerability could allow a privileged user to escalate privileges further, potentially achieving a higher level of access within the firmware layer. This could compromise the system's integrity and confidentiality, as the attacker may be able to execute arbitrary code at a privileged level or bypass security mechanisms [1].

Mitigation

Intel has released firmware version CHAPLCEL.0059 to address this vulnerability. Users are advised to update their BIOS firmware to this version or later. The update is available through Intel's official support channels. As of the publication date (November 2022), no workaround other than applying the firmware update has been disclosed. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog [1].