CVE-2023-29164
Published: 12 February 2025
Description
Improper access control in BMC Firmware for the Intel(R) Server Board S2600WF, Intel(R) Server Board S2600ST, Intel(R) Server Board S2600BP, before version 02.01.0017 and Intel(R) Server Board M50CYP and Intel(R) Server Board D50TNP before version R01.01.0009 may allow an authenticated user to enable escalation of privilege via local access.
Security Summary
CVE-2023-29164 is an improper access control vulnerability (CWE-284) affecting the Baseboard Management Controller (BMC) Firmware on specific Intel Server Boards. The impacted products include Intel Server Board S2600WF, S2600ST, and S2600BP versions prior to 02.01.0017, as well as Intel Server Board M50CYP and D50TNP versions prior to R01.01.0009. The vulnerability, published on 2025-02-12, carries a CVSS v3.1 base score of 7.3 (High), with vector AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N.
An attacker with local access and low-privilege authenticated user permissions can exploit this issue with low attack complexity and no user interaction. Exploitation enables privilege escalation, allowing the attacker to gain elevated access on the BMC. This results in low confidentiality impact, high integrity impact, and no availability impact, with the changed scope amplifying the severity.
Intel's security advisory (INTEL-SA-00990), available at https://intel.com/content/www/us/en/security-center/advisory/intel-sa-00990.html, details the vulnerability and mitigation steps, which include updating the affected BMC Firmware to version 02.01.0017 or later for S2600WF, S2600ST, and S2600BP boards, and R01.01.0009 or later for M50CYP and D50TNP boards.
Details
- CWE(s)