CVE-2022-34377

Vulnerability

Dell PowerEdge BIOS and Dell Precision BIOS contain an improper SMM communication buffer verification vulnerability (CVE-2022-34377). This flaw resides in the System Management Mode (SMM) communication path, where the BIOS fails to properly validate buffers passed between the operating system and SMM. A local attacker with high privileges can exploit this to corrupt SMM memory. The advisory [1] does not list specific affected versions but covers a range of PowerEdge and Precision models.

Exploitation

Exploitation requires local access to the system and high privileges (e.g., administrator or root). The attacker must craft a malicious SMI (System Management Interrupt) that triggers the improper buffer verification. The attack complexity is high (AC:H) and no user interaction is needed (UI:N) [1]. The attacker would need to manipulate SMM communication buffers to achieve code execution or cause a denial of service.

Impact

Successful exploitation could lead to arbitrary code execution within SMM or a denial of service. However, the CVSS vector (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L) indicates only low availability impact, with no confidentiality or integrity impact [1]. This suggests that while code execution is theoretically possible, the practical impact may be limited to denial of service in many scenarios.

Mitigation

Dell released a security advisory (DSA-2022-204) that includes BIOS updates to address this vulnerability [1]. Users should update their system BIOS to the latest version provided by Dell for their specific PowerEdge or Precision model. No workarounds are available; updating is the only mitigation.