CVE-2022-36370 - How Improper Authentication in Intel NUC BIOS Leads to Privilege Escalation

In 2022, Intel disclosed a serious vulnerability—CVE-2022-36370—impacting several Intel® NUC Boards and Kits. The issue arises from improper authentication in the BIOS firmware before version MYi30060. In the simplest terms, this means a sufficiently privileged user with local system access could trick the BIOS into giving them even higher privileges, potentially taking full control of the machine. This article breaks down how the flaw works, shows realistic exploitation paths, and gives advice for those working in support or security operations.

1. What is CVE-2022-36370?

CVE-2022-36370 is a security bug in the BIOS firmware used by some Intel NUC devices. The problem is that BIOS authentication checks are not tight enough, so a local attacker—someone with a user or limited admin account—could escalate their access all the way up to "root" or "system" through the BIOS interface.

Affected Products: Intel(R) NUC Boards and Kits with BIOS version below MYi30060.

- Attack Vector: Local access required (means attacker must already be physically or remotely on the machine).

Severity: Medium (CVSS Score: 6.7) – but can become critical if combined with other attacks.

Official advisory:  
Intel Security Advisory for CVE-2022-36370

2. How the Exploit Works (What’s Improper in Authentication?)

In basic terms, the BIOS (Basic Input/Output System) acts as a gatekeeper before your operating system loads. It usually asks for authentication (a password or credential check) if you try to change low-level settings, especially for updates, boot device changes, or security configurations.

A privileged user could bypass or trick some authentication checks.

- BIOS routines (like firmware updates, boot configuration) could be accessed or altered without proper permissions.

Technical Details

While Intel hasn’t shared the exact code, the root cause is most likely in a function that checks whether a user input is allowed to enter the BIOS Setup or make firmware changes. If this function returns “true” regardless of user status, an attacker can proceed as if logged in as a BIOS administrator.

*Hypothetical vulnerable snippet in C (for illustration):*

// Vulnerable BIOS check
int isUserAllowed(/*user_input*/) {
    // [Mistake] Always returns 1, so any user passes the check!
    return 1;
}

Instead, it should be something like

// Proper authentication check
int isUserAllowed(char *passwordInput) {
    if(strcmp(passwordInput, STORED_BIOS_PASSWORD) == ) {
        return 1; // Access allowed
    }
    return ; // Access denied
}

---

Step 1: Get local access

- They obtain a user or admin account on a target NUC system. (This could happen via phishing, credential leaks, or malicious insiders.)

Step 3: Attempt to Change Secure Settings

- The system should ask for a BIOS password or other credentials before letting someone change the boot order, flash the firmware, or reset security stacks.

Example: Automating the Exploit (Proof of Concept in Python)

A *real* BIOS exploit usually needs assembly or specialized tools, but with loose authentication, some vendors provide command-line tools (like fwupd or manufacturer-delivered update tools) that interact with the BIOS from the operating system.

If the BIOS verification API is flawed, a script can easily change firmware settings like this

import os

# Command to change BIOS boot order (hypothetical vulnerable call)
# Vendor tool would check privilege, but flaw allows regular user to run
os.system("nuc-bios-tool --set-boot-order=SATA1,USB1,NET")
# Command to update BIOS with malicious firmware
os.system("nuc-bios-tool --update --fw=malicious_bios_update.bin")

*Note: This is an example! Real BIOS flashes might require utilities available from the vendor or direct interaction during boot, but with this bug, otherwise-blocked commands can be executed by less-privileged users.*

What should you do?

- Upgrade the BIOS: Download the latest firmware (at least version MYi30060) directly from Intel’s support site for your exact NUC model:  
 Intel NUC BIOS Updates

Lock down local access: Ensure only trusted personnel have admin or console access.

- Set UEFI/BIOS passwords: (and not share them across systems)

5. References

- Intel Security Advisory - INTEL-SA-00702 (CVE-2022-36370)
- CVE Details for CVE-2022-36370
- Mitre CVE database entry
- Intel NUC BIOS Update Instructions (official)

6. Summary

CVE-2022-36370 is a real-world reminder that even the “locked doors” in our computers (like the BIOS) can have their own faulty locks. If you use Intel NUC boards or kits, update your firmware now, set strong BIOS passwords, and restrict physical/local access. Don’t let attackers level up because of a simple, but dangerous, authentication mistake.

Timeline

Published on: 11/11/2022 16:15:00 UTC
Last modified on: 11/16/2022 16:58:00 UTC