CVE-2022-21933 - Vulnerability Details

ASUS VivoMini/Mini PC device has an improper input validation vulnerability. A local attacker with system privilege can use system management interrupt (SMI) to modify memory, resulting in arbitrary code execution for controlling the system or disrupting service.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

The EPSS score is 0.00101.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

ASUS

VC65-C1

affected

Version	Status	Constraints
`unspecified`	affected	< 1302

ASUS

PB60V

affected

Version	Status	Constraints
`unspecified`	affected	< 1302

ASUS

PB60G

affected

Version	Status	Constraints
`unspecified`	affected	< 1302

ASUS

PB60S

affected

Version	Status	Constraints
`unspecified`	affected	< 1302

ASUS

PA90

affected

Version	Status	Constraints
`unspecified`	affected	< 1401

ASUS

PB50

affected

Version	Status	Constraints
`unspecified`	affected	< 902

ASUS

PB60

affected

Version	Status	Constraints
`unspecified`	affected	< 1502

ASUS

PB61V

affected

Version	Status	Constraints
`unspecified`	affected	< 601

ASUS

TS10

affected

Version	Status	Constraints
`unspecified`	affected	< 609

ASUS

PN40

affected

Version	Status	Constraints
`unspecified`	affected	< 2201

ASUS

PN60

affected

Version	Status	Constraints
`unspecified`	affected	< 808

ASUS

PN30

affected

Version	Status	Constraints
`unspecified`	affected	< 320

ASUS

UN65U

affected

Version	Status	Constraints
`unspecified`	affected	< 618

Configuration 1 [-]

AND

cpe:2.3:o:asus:vc65-c1_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:asus:vc65-c1:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:asus:pb60v_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:asus:pb60v:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:asus:pb60g_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:asus:pb60g:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:asus:pb60s_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:asus:pb60s:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND

cpe:2.3:o:asus:pa90_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:asus:pa90:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND

cpe:2.3:o:asus:pb50_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:asus:pb50:-:*:*:*:*:*:*:*

Configuration 7 [-]

AND

cpe:2.3:o:asus:pb60_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:asus:pb60:-:*:*:*:*:*:*:*

Configuration 8 [-]

AND

cpe:2.3:o:asus:pb61v_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:asus:pb61v:-:*:*:*:*:*:*:*

Configuration 9 [-]

AND

cpe:2.3:o:asus:ts10_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:asus:ts10:-:*:*:*:*:*:*:*

Configuration 10 [-]

AND

cpe:2.3:o:asus:pn40_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:asus:pn40:-:*:*:*:*:*:*:*

Configuration 11 [-]

AND

cpe:2.3:o:asus:pn60_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:asus:pn60:-:*:*:*:*:*:*:*

Configuration 12 [-]

AND

cpe:2.3:o:asus:pn30_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:asus:pn30:-:*:*:*:*:*:*:*

Configuration 13 [-]

AND

cpe:2.3:o:asus:un65u_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:asus:un65u:-:*:*:*:*:*:*:*

No data.

Project Subscriptions

Vendors	Products
Asus Subscribe	Pa90 Subscribe Pa90 Firmware Subscribe Pb50 Subscribe Pb50 Firmware Subscribe Pb60 Subscribe Pb60 Firmware Subscribe Pb60g Subscribe Pb60g Firmware Subscribe Pb60s Subscribe Pb60s Firmware Subscribe Pb60v Subscribe Pb60v Firmware Subscribe Pb61v Subscribe Pb61v Firmware Subscribe Pn30 Subscribe Pn30 Firmware Subscribe Pn40 Subscribe Pn40 Firmware Subscribe Pn60 Subscribe Pn60 Firmware Subscribe Ts10 Subscribe Ts10 Firmware Subscribe Un65u Subscribe Un65u Firmware Subscribe Vc65-c1 Subscribe Vc65-c1 Firmware Subscribe

Advisories

Source	ID	Title
EUVD	EUVD-2022-27089	ASUS VivoMini/Mini PC device has an improper input validation vulnerability. A local attacker with system privilege can use system management interrupt (SMI) to modify memory, resulting in arbitrary code execution for controlling the system or disrupting service.

Fixes

Solution

BIOS Update(https://www.asus.com/content/ASUS-Product-Security-Advisory/)

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.twcert.org.tw/tw/cp-132-5547-34bc4-1.html

History

No history.

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: twcert

Published: 2022-01-21T09:05:12.371715Z

Updated: 2024-09-16T20:06:36.122Z

Reserved: 2021-12-14T00:00:00

Link: CVE-2022-21933

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-01-21T09:15:06.820

Modified: 2024-11-21T06:45:44.113

Link: CVE-2022-21933

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object