CVE-2022-34376

Vulnerability

Dell PowerEdge BIOS and Dell Precision BIOS contain an improper input validation vulnerability (CVE-2022-34376) in the System Management Mode (SMM) communication path. The vulnerability exists in the System Management Interrupt (SMI) handler, which can be triggered by a local authenticated user with high privileges. The defect is present in various firmware versions as detailed in Dell advisory DSA-2022-204 [1].

Exploitation

An attacker must have local access to the system and be authenticated with high privileges. The attacker manipulates an SMI, sending malicious input that exploits the improper validation flaw in the SMM communication buffer. The exploitation does not require user interaction beyond the initial authentication [1].

Impact

Successful exploitation causes a denial of service (DoS) during System Management Mode (SMM) execution. The CVSS v3.1 base score is 3.9 (AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L), indicating limited integrity and availability impact but no confidentiality loss. The scope is changed (S:C) meaning the vulnerable component impacts resources beyond its security scope [1].

Mitigation

Dell released a firmware update to address this vulnerability. Users should apply the latest BIOS update for their specific Dell PowerEdge or Precision system as provided in DSA-2022-204 [1]. No workaround other than updating is available. This CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of February 2023.