CVE-2022-34410

Vulnerability

The Dell PowerEdge BIOS and Dell Precision BIOS are affected by an improper System Management Mode (SMM) communication buffer verification vulnerability [1]. The vulnerability allows a local attacker with high privileges, such as administrative or kernel-level access, to perform arbitrary code execution or cause a denial of service [1]. This issue is present in multiple firmware versions across various Dell server and workstation models [1]. The exact affected BIOS versions are not disclosed in the available references, but the advisory lists multiple CVEs (CVE-2022-34377 through CVE-2022-34423) as part of a group of similar issues [1].

Exploitation

Exploitation of this vulnerability requires local access to the system and high privileges (e.g., administrator or root) [1]. An attacker with such access could manipulate SMM communication buffers to trigger a buffer verification flaw [1]. The attack vector is local (AV:L), with high attack complexity (AC:H) and high privileges required (PR:H) [1]. No user interaction is needed (UI:N) [1]. The exact sequence of steps involves crafting a malicious SMM communication request that bypasses proper buffer bounds checks, leading to memory corruption within SMM [1].

Impact

Successful exploitation can lead to arbitrary code execution or denial of service [1]. The CVSS v3.1 base score is 7.5 (AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability, and a changed scope (S:C) meaning the attacker can compromise resources beyond the original vulnerability boundary [1]. The attacker gains the ability to execute arbitrary code in System Management Mode (SMM), which operates at the highest privilege level, potentially allowing full control of the system [1]. Alternatively, a denial of service could be achieved by crashing the system or SMM services [1].

Mitigation

Dell has released a security advisory (DSA-2022-204) with updates to address this vulnerability [1]. Users should apply the latest BIOS firmware updates from Dell for their respective models [1]. The advisory does not specify fixed version numbers or release dates, but affected models include Dell PowerEdge and Precision systems [1]. As a workaround, limiting local access to trusted users and applying the principle of least privilege can reduce risk [1]. No EOL status or KEV listing is mentioned in the references [1].