Details of VAR-202201-1903

ID

VAR-202201-1903

CVE

CVE-2022-21933

TITLE

ASUS VivoMini/Mini PC Vulnerability related to input validation in devices

Trust: 0.8

sources: JVNDB: JVNDB-2022-003871

DESCRIPTION

ASUS VivoMini/Mini PC device has an improper input validation vulnerability. A local attacker with system privilege can use system management interrupt (SMI) to modify memory, resulting in arbitrary code execution for controlling the system or disrupting service. (DoS) It may be in a state. ASUS VivoMini/Mini PC is an ultra-thin and small mini-computer from Taiwan-based ASUS (ASUS)

Trust: 2.25

sources: NVD: CVE-2022-21933 // JVNDB: JVNDB-2022-003871 // CNVD: CNVD-2022-08158 // VULMON: CVE-2022-21933

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-08158

AFFECTED PRODUCTS

vendor:	asus	model:	pb50	scope:	lt	version:	902	Trust: 1.0
vendor:	asus	model:	pb60g	scope:	lt	version:	1302	Trust: 1.0
vendor:	asus	model:	pb60v	scope:	lt	version:	1302	Trust: 1.0
vendor:	asus	model:	pn60	scope:	lt	version:	808	Trust: 1.0
vendor:	asus	model:	pb61v	scope:	lt	version:	601	Trust: 1.0
vendor:	asus	model:	pn40	scope:	lt	version:	2201	Trust: 1.0
vendor:	asus	model:	ts10	scope:	lt	version:	609	Trust: 1.0
vendor:	asus	model:	pb60s	scope:	lt	version:	1302	Trust: 1.0
vendor:	asus	model:	pb60	scope:	lt	version:	1502	Trust: 1.0
vendor:	asus	model:	pn30	scope:	lt	version:	320	Trust: 1.0
vendor:	asus	model:	pa90	scope:	lt	version:	1401	Trust: 1.0
vendor:	asus	model:	un65u	scope:	lt	version:	618	Trust: 1.0
vendor:	asus	model:	vc65-c1	scope:	lt	version:	1302	Trust: 1.0
vendor:	asustek computer	model:	pb60	scope:	-	version:	-	Trust: 0.8
vendor:	asustek computer	model:	pb60g	scope:	-	version:	-	Trust: 0.8
vendor:	asustek computer	model:	pb60s	scope:	-	version:	-	Trust: 0.8
vendor:	asustek computer	model:	pn40	scope:	-	version:	-	Trust: 0.8
vendor:	asustek computer	model:	pb50	scope:	-	version:	-	Trust: 0.8
vendor:	asustek computer	model:	ts10	scope:	-	version:	-	Trust: 0.8
vendor:	asustek computer	model:	pb61v	scope:	-	version:	-	Trust: 0.8
vendor:	asustek computer	model:	pb60v	scope:	-	version:	-	Trust: 0.8
vendor:	asustek computer	model:	vc65-c1	scope:	-	version:	-	Trust: 0.8
vendor:	asustek computer	model:	pa90	scope:	-	version:	-	Trust: 0.8
vendor:	asus	model:	vivomini/mini pc	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2022-08158 // JVNDB: JVNDB-2022-003871 // NVD: CVE-2022-21933

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-21933
value:	HIGH
Trust: 1.0
twcert@cert.org.tw:	CVE-2022-21933
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2022-21933
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2022-08158
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202201-2132
value:	HIGH
Trust: 0.6
VULMON:	CVE-2022-21933
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2022-21933
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2022-08158
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2022-21933
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.1
Trust: 1.0
twcert@cert.org.tw:	CVE-2022-21933
baseSeverity:	MEDIUM
baseScore:	6.7
vectorString:	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	0.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2022-21933
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2022-08158 // VULMON: CVE-2022-21933 // JVNDB: JVNDB-2022-003871 // CNNVD: CNNVD-202201-2132 // NVD: CVE-2022-21933 // NVD: CVE-2022-21933

PROBLEMTYPE DATA

problemtype:	CWE-20	Trust: 1.0
problemtype:	CWE-787	Trust: 1.0
problemtype:	Inappropriate input confirmation (CWE-20) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2022-003871 // NVD: CVE-2022-21933

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202201-2132

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-202201-2132

PATCH

title:	top page	url:	https://www.asus.com/jp/	Trust: 0.8
title:	Patch for ASUS VivoMini/Mini PC Input Validation Error Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/316996	Trust: 0.6
title:	ASUS VivoMini/Mini PC Enter the fix for the verification error vulnerability	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=183798	Trust: 0.6
title:	CVE-2022-XXXX	url:	https://github.com/AlphabugX/CVE-2022-23305	Trust: 0.1
title:	CVE-2022-XXXX	url:	https://github.com/AlphabugX/CVE-2022-RCE	Trust: 0.1

sources: CNVD: CNVD-2022-08158 // VULMON: CVE-2022-21933 // JVNDB: JVNDB-2022-003871 // CNNVD: CNNVD-202201-2132

EXTERNAL IDS

db:	NVD	id:	CVE-2022-21933	Trust: 3.9
db:	JVNDB	id:	JVNDB-2022-003871	Trust: 0.8
db:	CNVD	id:	CNVD-2022-08158	Trust: 0.6
db:	CNNVD	id:	CNNVD-202201-2132	Trust: 0.6
db:	VULMON	id:	CVE-2022-21933	Trust: 0.1

sources: CNVD: CNVD-2022-08158 // VULMON: CVE-2022-21933 // JVNDB: JVNDB-2022-003871 // CNNVD: CNNVD-202201-2132 // NVD: CVE-2022-21933

REFERENCES

url:	https://www.twcert.org.tw/tw/cp-132-5547-34bc4-1.html	Trust: 3.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-21933	Trust: 1.4
url:	https://cwe.mitre.org/data/definitions/787.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://github.com/alphabugx/cve-2022-23305	Trust: 0.1

sources: CNVD: CNVD-2022-08158 // VULMON: CVE-2022-21933 // JVNDB: JVNDB-2022-003871 // CNNVD: CNNVD-202201-2132 // NVD: CVE-2022-21933

SOURCES

db:	CNVD	id:	CNVD-2022-08158
db:	VULMON	id:	CVE-2022-21933
db:	JVNDB	id:	JVNDB-2022-003871
db:	CNNVD	id:	CNNVD-202201-2132
db:	NVD	id:	CVE-2022-21933

LAST UPDATE DATE

2024-08-14T15:06:33.567000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2022-08158	date:	2022-02-02T00:00:00
db:	VULMON	id:	CVE-2022-21933	date:	2023-07-24T00:00:00
db:	JVNDB	id:	JVNDB-2022-003871	date:	2023-03-10T02:01:00
db:	CNNVD	id:	CNNVD-202201-2132	date:	2023-07-25T00:00:00
db:	NVD	id:	CVE-2022-21933	date:	2023-07-24T13:53:02.023

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2022-08158	date:	2022-02-01T00:00:00
db:	VULMON	id:	CVE-2022-21933	date:	2022-01-21T00:00:00
db:	JVNDB	id:	JVNDB-2022-003871	date:	2023-03-10T00:00:00
db:	CNNVD	id:	CNNVD-202201-2132	date:	2022-01-21T00:00:00
db:	NVD	id:	CVE-2022-21933	date:	2022-01-21T09:15:06.820