Get ahead in your AI acceleration with an early inquiry of the G593 AMD Instinct MI300X supercomputer

BIOS Update for Security Vulnerabilities: Intel Platform

CVE-2021-0187, CVE-2022-26343, CVE-2022-26837, CVE-2022-32231, CVE-2022-21216, CVE-2022-36348, CVE-2022-33972, CVE-2022-33196, CVE-2022-38090, CVE-2022-34301, CVE-2022-34302, CVE-2022-34303, CVE-2021-33164

Mar 27, 2023

Giga Computing Technology Co., Ltd. acknowledges the security vulnerabilities affecting GIGABYTE’s server, workstation, and motherboard products that are using the following processors and users are suggested updating to the latest versions:

• 2nd Generation Intel^® Xeon^® Scalable Processors

• 3rd Generation Intel^® Xeon^® Scalable Processors

To mitigate the risk of exploitation, GIGABYTE has released new BIOS versions for the vulnerabilities as listed below. Updated BIOS versions to address the threats are available on all affected product pages. For GIGABYTE servers R292-4S0 and R292-4S1, the BIOS is scheduled to be updated by April 17^th, 2023.

Common Vulnerabilities or Exposures (CVEID): CVE-2021-0187

Severity Rating (CVSSv3.1): 6.7, Medium

Description: Improper access control in the BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable an escalation of privilege via local access.

Common Vulnerabilities or Exposures (CVEID): CVE-2022-26343

Severity Rating (CVSSv3.1): 6.7, Medium

Description: Improper access control in the BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

Common Vulnerabilities or Exposures (CVEID): CVE-2022-26837

Severity Rating (CVSSv3.1): 7.0, High

Description: Improper input validation in the BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

Common Vulnerabilities or Exposures (CVEID): CVE-2022-32231

Severity Rating (CVSSv3.1): 6.7, Medium

Description: Improper initialization in the BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.

Common Vulnerabilities or Exposures (CVEID): CVE-2022-21216

Severity Rating (CVSSv3.1): 6.8, Medium

Description: Insufficient granularity of access control in out-of-band management in some Intel(R) Atom and Intel Xeon Scalable Processors may allow a privileged user to potentially enable escalation of privilege via adjacent network access.

Common Vulnerabilities or Exposures (CVEID): CVE-2022-36348

Severity Rating (CVSSv3.1): 7.8, High

Description: Active debug code in some Intel (R) SPS firmware before version SPS_E5_04.04.04.300.0 may allow an authenticated user to potentially enable escalation of privilege via local access.

Common Vulnerabilities or Exposures (CVEID): CVE-2022-33972

Severity Rating (CVSSv3.1): 4.4, Medium

Description: Incorrect calculation in microcode keying mechanism for some 3rd Generation Intel(R) Xeon(R) Scalable Processors may allow a privileged user to potentially enable information disclosure via local access.

Common Vulnerabilities or Exposures (CVEID): CVE-2022-33196

Severity Rating (CVSSv3.1): 6.7, Medium

Description: Incorrect default permissions in some memory controller configurations for some Intel(R) Xeon(R) Processors when using Intel(R) Software Guard Extensions which may allow a privileged user to potentially enable escalation of privilege via local access.

Common Vulnerabilities or Exposures (CVEID): CVE-2022-38090

Severity Rating (CVSSv3.1): 4.4, Medium

Description: Improper isolation of shared resources in some Intel(R) Processors when using Intel(R) Software Guard Extensions may allow a privileged user to potentially enable information disclosure via local access.

Common Vulnerabilities or Exposures (CVEID): CVE-2022-34301

Severity Rating (CVSSv3.1): 6.7, Medium

Description: A flaw was found in CryptoPro Secure Disk bootloaders before 2022-06-01. An attacker may use this bootloader to bypass or tamper with Secure Boot protections. In order to load and execute arbitrary code in the pre-boot stage, an attacker simply needs to replace the existing signed bootloader currently in use with this bootloader. Access to the EFI System Partition is required for booting using external media.

Common Vulnerabilities or Exposures (CVEID): CVE-2022-34302

Severity Rating (CVSSv3.1): 6.7, Medium

Description: A flaw was found in New Horizon Datasys bootloaders before 2022-06-01. An attacker may use this bootloader to bypass or tamper with Secure Boot protections. In order to load and execute arbitrary code in the pre-boot stage, an attacker simply needs to replace the existing signed bootloader currently in use with this bootloader. Access to the EFI System Partition is required for booting using external media.

Common Vulnerabilities or Exposures (CVEID): CVE-2022-34303

Severity Rating (CVSSv3.1): 6.7, Medium

Description: A flaw was found in Eurosoft bootloaders before 2022-06-01. An attacker may use this bootloader to bypass or tamper with Secure Boot protections. In order to load and execute arbitrary code in the pre-boot stage, an attacker simply needs to replace the existing signed bootloader currently in use with this bootloader. Access to the EFI System Partition is required for booting using external media.

Common Vulnerabilities or Exposures (CVEID): CVE-2021-33164

Severity Rating (CVSSv3.1): 6.7, Medium

Description: Improper access control in BIOS firmware for some Intel(R) NUCs before version INWHL357.0046 may allow a privileged user to potentially enable escalation of privilege via local access.

*Please navigate to the "Support" section of the relevant product page to download the updated BIOS.

*For any further assistance regarding this issue please contact your Giga Computing sales representative, or create a new support ticket at https://esupport.gigabyte.com