CVE-2023-25537

Dell PowerEdge 14G server BIOS versions prior to 2.18.1 and Dell Precision BIOS versions prior to 2.18.2, contain an Out of Bounds write vulnerability. A local attacker with low privileges could potentially exploit this vulnerability leading to exposure of some SMRAM stack/data/code in System Management Mode, leading to arbitrary code execution or escalation of privilege.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.dell.com/support/kbdoc/en-us/000213550/dsa-2023-098-security-update-for-dell-poweredge-14g-server-bios-for-an-out-of-bounds-write-vulnerability	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:dell:poweredge_r740_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dell:poweredge_r740:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:dell:poweredge_r740xd_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dell:poweredge_r740xd:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:dell:poweredge_r640_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dell:poweredge_r640:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:dell:poweredge_r940_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dell:poweredge_r940:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:o:dell:poweredge_r540_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dell:poweredge_r540:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND

cpe:2.3:o:dell:poweredge_r440_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dell:poweredge_r440:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND

cpe:2.3:o:dell:poweredge_t440_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dell:poweredge_t440:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND

cpe:2.3:o:dell:poweredge_xr2_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dell:poweredge_xr2:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND

cpe:2.3:o:dell:poweredge_r740xd2_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dell:poweredge_r740xd2:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND

cpe:2.3:o:dell:poweredge_r840_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dell:poweredge_r840:-:*:*:*:*:*:*:*

Configuration 11 (hide)

AND

cpe:2.3:o:dell:poweredge_r940xa_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dell:poweredge_r940xa:-:*:*:*:*:*:*:*

Configuration 12 (hide)

AND

cpe:2.3:o:dell:poweredge_t640_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dell:poweredge_t640:-:*:*:*:*:*:*:*

Configuration 13 (hide)

AND

cpe:2.3:o:dell:poweredge_c6420_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dell:poweredge_c6420:-:*:*:*:*:*:*:*

Configuration 14 (hide)

AND

cpe:2.3:o:dell:poweredge_fc640_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dell:poweredge_fc640:-:*:*:*:*:*:*:*

Configuration 15 (hide)

AND

cpe:2.3:o:dell:poweredge_m640_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dell:poweredge_m640:-:*:*:*:*:*:*:*

Configuration 16 (hide)

AND

cpe:2.3:o:dell:poweredge_mx740c_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dell:poweredge_mx740c:-:*:*:*:*:*:*:*

Configuration 17 (hide)

AND

cpe:2.3:o:dell:poweredge_mx840c_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dell:poweredge_mx840c:-:*:*:*:*:*:*:*

Configuration 18 (hide)

AND

cpe:2.3:o:dell:poweredge_c4140_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dell:poweredge_c4140:-:*:*:*:*:*:*:*

Configuration 19 (hide)

AND

cpe:2.3:o:dell:dss_8440_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dell:dss_8440:-:*:*:*:*:*:*:*

Configuration 20 (hide)

AND

cpe:2.3:o:dell:poweredge_xe2420_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dell:poweredge_xe2420:-:*:*:*:*:*:*:*

Configuration 21 (hide)

AND

cpe:2.3:o:dell:poweredge_xe7420_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dell:poweredge_xe7420:-:*:*:*:*:*:*:*

Configuration 22 (hide)

AND

cpe:2.3:o:dell:poweredge_xe7440_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dell:poweredge_xe7440:-:*:*:*:*:*:*:*

Configuration 23 (hide)

AND

cpe:2.3:o:dell:emc_storage_nx3240_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dell:emc_storage_nx3240:-:*:*:*:*:*:*:*

Configuration 24 (hide)

AND

cpe:2.3:o:dell:emc_storage_nx3340_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dell:emc_storage_nx3340:-:*:*:*:*:*:*:*

Configuration 25 (hide)

AND

cpe:2.3:o:dell:emc_xc_core_6420_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dell:emc_xc_core_6420:-:*:*:*:*:*:*:*

Configuration 26 (hide)

AND

cpe:2.3:o:dell:emc_xc_core_xc640_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dell:emc_xc_core_xc640:-:*:*:*:*:*:*:*

Configuration 27 (hide)

AND

cpe:2.3:o:dell:emc_xc_core_xc740xd_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dell:emc_xc_core_xc740xd:-:*:*:*:*:*:*:*

Configuration 28 (hide)

AND

cpe:2.3:o:dell:emc_xc_core_xc740xd2_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dell:emc_xc_core_xc740xd2:-:*:*:*:*:*:*:*

Configuration 29 (hide)

AND

cpe:2.3:o:dell:emc_xc_core_xc940_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dell:emc_xc_core_xc940:-:*:*:*:*:*:*:*

Configuration 30 (hide)

AND

cpe:2.3:o:dell:emc_xc_core_xcxr2_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dell:emc_xc_core_xcxr2:-:*:*:*:*:*:*:*

History

30 May 2023, 21:32

Type	Values Removed	Values Added
CPE		cpe:2.3:o:dell:poweredge_xe7420_firmware:::::::: cpe:2.3:o:dell:emc_xc_core_xc940_firmware:::::::: cpe:2.3:h:dell:poweredge_mx740c:-:::::::* cpe:2.3:h:dell:emc_xc_core_xc940:-:::::::* cpe:2.3:h:dell:poweredge_xe7440:-:::::::* cpe:2.3:o:dell:poweredge_xe7440_firmware:::::::: cpe:2.3:h:dell:emc_storage_nx3340:-:::::::* cpe:2.3:o:dell:poweredge_r740xd2_firmware:::::::: cpe:2.3:h:dell:poweredge_r740xd2:-:::::::* cpe:2.3:h:dell:poweredge_m640:-:::::::* cpe:2.3:h:dell:emc_xc_core_xc740xd2:-:::::::* cpe:2.3:h:dell:poweredge_xe7420:-:::::::* cpe:2.3:o:dell:emc_xc_core_6420_firmware:::::::: cpe:2.3:h:dell:poweredge_r540:-:::::::* cpe:2.3:o:dell:dss_8440_firmware:::::::: cpe:2.3:h:dell:poweredge_r740:-:::::::* cpe:2.3:h:dell:poweredge_mx840c:-:::::::* cpe:2.3:o:dell:poweredge_c6420_firmware:::::::: cpe:2.3:o:dell:poweredge_r940_firmware:::::::: cpe:2.3:h:dell:poweredge_r840:-:::::::* cpe:2.3:o:dell:poweredge_mx740c_firmware:::::::: cpe:2.3:o:dell:poweredge_c4140_firmware:::::::: cpe:2.3:o:dell:emc_xc_core_xc640_firmware:::::::: cpe:2.3:h:dell:poweredge_c4140:-:::::::* cpe:2.3:o:dell:poweredge_r740xd_firmware:::::::: cpe:2.3:o:dell:emc_xc_core_xcxr2_firmware:::::::: cpe:2.3:o:dell:emc_storage_nx3240_firmware:::::::: cpe:2.3:h:dell:poweredge_r740xd:-:::::::* cpe:2.3:h:dell:poweredge_c6420:-:::::::* cpe:2.3:o:dell:poweredge_xr2_firmware:::::::: cpe:2.3:h:dell:poweredge_r940xa:-:::::::* cpe:2.3:h:dell:emc_storage_nx3240:-:::::::* cpe:2.3:h:dell:poweredge_r940:-:::::::* cpe:2.3:o:dell:poweredge_t440_firmware:::::::: cpe:2.3:o:dell:poweredge_r940xa_firmware:::::::: cpe:2.3:o:dell:poweredge_r440_firmware:::::::: cpe:2.3:h:dell:emc_xc_core_xc640:-:::::::* cpe:2.3:o:dell:poweredge_xe2420_firmware:::::::: cpe:2.3:h:dell:dss_8440:-:::::::* cpe:2.3:o:dell:poweredge_r840_firmware:::::::: cpe:2.3:o:dell:poweredge_r640_firmware:::::::: cpe:2.3:h:dell:poweredge_t640:-:::::::* cpe:2.3:h:dell:poweredge_r640:-:::::::* cpe:2.3:h:dell:emc_xc_core_xcxr2:-:::::::* cpe:2.3:h:dell:poweredge_xr2:-:::::::* cpe:2.3:o:dell:poweredge_m640_firmware:::::::: cpe:2.3:h:dell:poweredge_xe2420:-:::::::* cpe:2.3:o:dell:emc_xc_core_xc740xd2_firmware:::::::: cpe:2.3:h:dell:poweredge_r440:-:::::::* cpe:2.3:h:dell:emc_xc_core_6420:-:::::::* cpe:2.3:o:dell:poweredge_mx840c_firmware:::::::: cpe:2.3:h:dell:poweredge_t440:-:::::::* cpe:2.3:o:dell:poweredge_r540_firmware:::::::: cpe:2.3:h:dell:poweredge_fc640:-:::::::* cpe:2.3:o:dell:poweredge_fc640_firmware:::::::: cpe:2.3:o:dell:emc_storage_nx3340_firmware:::::::: cpe:2.3:h:dell:emc_xc_core_xc740xd:-:::::::* cpe:2.3:o:dell:emc_xc_core_xc740xd_firmware:::::::: cpe:2.3:o:dell:poweredge_t640_firmware:::::::: cpe:2.3:o:dell:poweredge_r740_firmware::::::::
References	~~(MISC) https://www.dell.com/support/kbdoc/en-us/000213550/dsa-2023-098-security-update-for-dell-poweredge-14g-server-bios-for-an-out-of-bounds-write-vulnerability -~~	(MISC) https://www.dell.com/support/kbdoc/en-us/000213550/dsa-2023-098-security-update-for-dell-poweredge-14g-server-bios-for-an-out-of-bounds-write-vulnerability - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.8

22 May 2023, 11:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-05-22 11:15

Updated : 2024-02-04 23:37

NVD link : CVE-2023-25537

Mitre link : CVE-2023-25537

CVE.ORG link : CVE-2023-25537

JSON object : View

Products Affected

dell

poweredge_c6420
poweredge_t440
poweredge_r740_firmware
poweredge_r540
poweredge_r440
emc_xc_core_xcxr2
poweredge_r840_firmware
emc_xc_core_xc740xd2
poweredge_r840
poweredge_xe2420_firmware
poweredge_r940xa_firmware
poweredge_r640
emc_xc_core_xc940
poweredge_mx840c_firmware
emc_xc_core_xcxr2_firmware
dss_8440_firmware
emc_xc_core_xc740xd_firmware
poweredge_t440_firmware
poweredge_c6420_firmware
poweredge_mx740c_firmware
poweredge_m640_firmware
poweredge_r940xa
poweredge_c4140
emc_storage_nx3340
emc_xc_core_xc940_firmware
poweredge_r940
poweredge_r740xd2_firmware
emc_xc_core_xc740xd2_firmware
poweredge_m640
poweredge_r540_firmware
poweredge_xe7440_firmware
emc_storage_nx3240
poweredge_r940_firmware
poweredge_fc640
poweredge_mx740c
poweredge_r740xd_firmware
poweredge_r740xd
poweredge_xe2420
poweredge_mx840c
emc_xc_core_6420
emc_storage_nx3340_firmware
poweredge_t640_firmware
poweredge_t640
poweredge_r440_firmware
poweredge_xr2
emc_storage_nx3240_firmware
poweredge_r740xd2
poweredge_xe7420_firmware
poweredge_r740
poweredge_xr2_firmware
emc_xc_core_xc640_firmware
dss_8440
poweredge_c4140_firmware
emc_xc_core_xc740xd
poweredge_r640_firmware
poweredge_fc640_firmware
poweredge_xe7420
emc_xc_core_6420_firmware
emc_xc_core_xc640
poweredge_xe7440

CWE

CWE-787

Out-of-bounds Write

7.8 /10