CVE-2023-42766

Vulnerability

Improper input validation exists in the BIOS firmware of Intel NUC 8 Compute Element, identified by CVE-2023-42766. This vulnerability is present in all versions prior to the update provided in Intel advisory INTEL-SA-01028. The affected firmware component is the system BIOS, and the issue is triggered when a privileged user supplies crafted input to the firmware interface. [1]

Exploitation

An attacker must already have local access to the system and possess privileges (e.g., administrator or root access) to interact with the BIOS firmware configuration. The attack is performed by providing specially crafted input that bypasses proper validation checks, leading to memory corruption or code execution within the firmware context. The exact sequence of steps is not publicly detailed, but it does not require physical access or user interaction beyond the initial local privilege. [1]

Impact

Successful exploitation allows the attacker to escalate their privileges beyond their current level, potentially gaining full control over the firmware and the underlying hardware. This could result in persistent compromise of the system, as the attacker may execute arbitrary code with the highest privilege level (SMM or ring -2). The confidentiality, integrity, and availability of the system could be completely undermined. [1]

Mitigation

Intel has released a firmware update to address this vulnerability. Users should update the BIOS to the latest version provided by Intel or the system manufacturer. The fixed version and release date are detailed in the Intel advisory INTEL-SA-01028 [1]. There is no known workaround; the only mitigation is applying the firmware patch. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date. [1]