CVE-2022-33176

Vulnerability

Improper input validation in the BIOS firmware for some Intel(R) NUC 11 Performance kits and Intel(R) NUC 11 Performance Mini PCs before version PATGL357.0042 may allow a privileged user to potentially enable escalation of privilege via local access [1]. The vulnerability resides in the BIOS input handling code, which fails to properly validate certain inputs, leading to a security bypass.

Exploitation

An attacker must have local access to the system and possess privileged user credentials (e.g., administrator or root). The exploitation sequence involves providing specially crafted input to the BIOS during system boot or configuration, triggering the improper validation and allowing the attacker to execute arbitrary code at a higher privilege level [1]. No user interaction beyond the attacker's own actions is required.

Impact

Successful exploitation grants the attacker escalation of privilege, potentially gaining full control over the system's firmware or operating system. This could lead to complete compromise of confidentiality, integrity, and availability of the affected device [1].

Mitigation

Intel has released BIOS version PATGL357.0042 to address this vulnerability. Users should update their BIOS firmware to this version or later via the Intel Driver & Support Assistant or by downloading from the Intel Download Center [1]. No workarounds are available; updating is the only mitigation.