CVE-2023-25756

Vulnerability

An out-of-bounds read vulnerability exists in the BIOS firmware for some Intel(R) Processors. The flaw is present in the BIOS firmware, affecting specific processor models listed in the Intel security advisory. This issue requires authenticated access and adjacent network connectivity to be exploitable. Affected versions include the products and firmware versions detailed in INTEL-SA-00924 [1].

Exploitation

An authenticated user with adjacent network access can trigger an out-of-bounds read by sending maliciously crafted data or performing specific operations that the vulnerable BIOS firmware processes incorrectly. The attacker must have valid credentials to the targeted system and physical or logical proximity to the network (e.g., local subnet access). No user interaction is required beyond the initial authentication [1].

Impact

Successful exploitation could lead to an escalation of privilege, potentially allowing the attacker to gain higher-level system access or bypass security controls. The vulnerability primarily affects confidentiality and availability, as an out-of-bounds read may disclose sensitive information or cause a denial of service, but the primary risk is privilege escalation [1].

Mitigation

Intel has released firmware updates to address this vulnerability. The fixes are available through system manufacturers (OEMs) as part of their BIOS updates. Users should apply the latest BIOS updates provided by their device vendor. No workarounds are available if the patch cannot be applied. The CVE is not listed as known to be exploited (KEV) as of publication [1].