CVE-2023-34440
Published: 12 February 2025
Summary
CVE-2023-34440 is a high-severity Improper Input Validation (CWE-20) vulnerability in Intel (inferred from references). Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique System Firmware (T1542.001); ranked at the 6.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2023-34440 is an improper input validation vulnerability (CWE-20) in the UEFI firmware for some Intel(R) Processors. Published on 2025-02-12, it carries a CVSS v3.1 base score of 7.5 (AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating high severity with local attack vector, high attack complexity, and requirements for high privileges.
The vulnerability can be exploited by a privileged user with local access to the affected system. Exploitation may enable escalation of privilege, potentially resulting in high impacts to confidentiality, integrity, and availability, with a changed scope that could affect broader system components.
Intel's security advisory (INTEL-SA-01139) addresses the issue at https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01139.html. Debian LTS has also issued an announcement regarding related updates at https://lists.debian.org/debian-lts-announce/2025/03/msg00021.html.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-38516
Vulnerability details
Improper input validation in UEFI firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper input validation in UEFI firmware directly enables exploitation of system firmware for pre-OS boot privilege escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires the system to validate inputs to UEFI firmware components, comprehensively addressing the improper input validation vulnerability (CWE-20).
Mandates timely flaw remediation for the specific input validation vulnerability in Intel UEFI firmware as detailed in Intel-SA-01139.
Verifies the integrity of UEFI firmware to ensure it remains uncompromised and prevents exploitation through unauthorized modifications exacerbating the input validation flaw.