BIOS Update for Security Vulnerabilities: Intel Platform
Giga Computing Technology Co., Ltd. acknowledges the security vulnerabilities affecting GIGABYTE’s server, workstation, and motherboard products that are using the following processors and users are suggested updating to the latest versions:
• 2nd Generation Intel® Xeon® Scalable Processors
• 3rd Generation Intel® Xeon® Scalable Processors
To mitigate the risk of exploitation, GIGABYTE has released new BIOS versions for the vulnerabilities as listed below. Updated BIOS versions to address the threats are available on all affected product pages. For GIGABYTE servers R292-4S0 and R292-4S1, the BIOS is scheduled to be updated by April 17th, 2023.
Common Vulnerabilities or Exposures (CVEID): CVE-2021-0187
Severity Rating (CVSSv3.1): 6.7, Medium
Description: Improper access control in the BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable an escalation of privilege via local access.
Common Vulnerabilities or Exposures (CVEID): CVE-2022-26343
Severity Rating (CVSSv3.1): 6.7, Medium
Description: Improper access control in the BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.
Common Vulnerabilities or Exposures (CVEID): CVE-2022-26837
Severity Rating (CVSSv3.1): 7.0, High
Description: Improper input validation in the BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.
Common Vulnerabilities or Exposures (CVEID): CVE-2022-32231
Severity Rating (CVSSv3.1): 6.7, Medium
Description: Improper initialization in the BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.
Common Vulnerabilities or Exposures (CVEID): CVE-2022-21216
Severity Rating (CVSSv3.1): 6.8, Medium
Description: Insufficient granularity of access control in out-of-band management in some Intel(R) Atom and Intel Xeon Scalable Processors may allow a privileged user to potentially enable escalation of privilege via adjacent network access.
Common Vulnerabilities or Exposures (CVEID): CVE-2022-36348
Severity Rating (CVSSv3.1): 7.8, High
Description: Active debug code in some Intel (R) SPS firmware before version SPS_E5_04.04.04.300.0 may allow an authenticated user to potentially enable escalation of privilege via local access.
Common Vulnerabilities or Exposures (CVEID): CVE-2022-33972
Severity Rating (CVSSv3.1): 4.4, Medium
Description: Incorrect calculation in microcode keying mechanism for some 3rd Generation Intel(R) Xeon(R) Scalable Processors may allow a privileged user to potentially enable information disclosure via local access.
Common Vulnerabilities or Exposures (CVEID): CVE-2022-33196
Severity Rating (CVSSv3.1): 6.7, Medium
Description: Incorrect default permissions in some memory controller configurations for some Intel(R) Xeon(R) Processors when using Intel(R) Software Guard Extensions which may allow a privileged user to potentially enable escalation of privilege via local access.
Common Vulnerabilities or Exposures (CVEID): CVE-2022-38090
Severity Rating (CVSSv3.1): 4.4, Medium
Description: Improper isolation of shared resources in some Intel(R) Processors when using Intel(R) Software Guard Extensions may allow a privileged user to potentially enable information disclosure via local access.
Common Vulnerabilities or Exposures (CVEID): CVE-2022-34301
Severity Rating (CVSSv3.1): 6.7, Medium
Description: A flaw was found in CryptoPro Secure Disk bootloaders before 2022-06-01. An attacker may use this bootloader to bypass or tamper with Secure Boot protections. In order to load and execute arbitrary code in the pre-boot stage, an attacker simply needs to replace the existing signed bootloader currently in use with this bootloader. Access to the EFI System Partition is required for booting using external media.
Common Vulnerabilities or Exposures (CVEID): CVE-2022-34302
Severity Rating (CVSSv3.1): 6.7, Medium
Description: A flaw was found in New Horizon Datasys bootloaders before 2022-06-01. An attacker may use this bootloader to bypass or tamper with Secure Boot protections. In order to load and execute arbitrary code in the pre-boot stage, an attacker simply needs to replace the existing signed bootloader currently in use with this bootloader. Access to the EFI System Partition is required for booting using external media.
Common Vulnerabilities or Exposures (CVEID): CVE-2022-34303
Severity Rating (CVSSv3.1): 6.7, Medium
Description: A flaw was found in Eurosoft bootloaders before 2022-06-01. An attacker may use this bootloader to bypass or tamper with Secure Boot protections. In order to load and execute arbitrary code in the pre-boot stage, an attacker simply needs to replace the existing signed bootloader currently in use with this bootloader. Access to the EFI System Partition is required for booting using external media.
Common Vulnerabilities or Exposures (CVEID): CVE-2021-33164
Severity Rating (CVSSv3.1): 6.7, Medium
Description: Improper access control in BIOS firmware for some Intel(R) NUCs before version INWHL357.0046 may allow a privileged user to potentially enable escalation of privilege via local access.
*Please navigate to the "Support" section of the relevant product page to download the updated BIOS.
*For any further assistance regarding this issue please contact your Giga Computing sales representative, or create a new support ticket at https://esupport.gigabyte.com