MidnightBSD

Advisories for insyde

CVE-2005-4175 LOW

Insyde BIOS V190 does not clear the keyboard buffer after reading the BIOS password during system startup, which allows local administrators or users to read the password directly from physical memory.

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
insyde insyde_bios v190
CVE-2019-12532 MEDIUM

Improper access control in the Insyde software tools may allow an authenticated user to potentially enable escalation of privilege, or information disclosure via local access. This is a software vulnerability, not a firmware issue. Affected tools include: H2OFFT version 3.02~5.28, 100.00.00.00~100.00.08.23 and 200.00.00.01~200.00.00.05, H2OOAE before version 200.00.00.02, H2OSDE before version 200.00.00.07, H2OUVE before version 200.00.02.02, H2OPCM before version 100.00.06.00, H2OELV before version 100.00.02.08.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
insyde h2osde *
insyde h2opcm *
insyde h2offt *
insyde h2ooae *
insyde h2oelv *
insyde h2ouve *
CVE-2020-27339 HIGH

In the kernel in Insyde InsydeH2O 5.x, certain SMM drivers did not correctly validate the CommBuffer and CommBufferSize parameters, allowing callers to corrupt either the firmware or the OS memory. The fixed versions for this issue in the AhciBusDxe, IdeBusDxe, NvmExpressDxe, SdHostDriverDxe, and SdMmcDeviceDxe drivers are 05.16.25, 05.26.25, 05.35.25, 05.43.25, and 05.51.25 (for Kernel 5.1 through 5.5).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
siemens simatic_ipc377g_firmware -
siemens simatic_ipc477e_pro_firmware -
siemens simatic_ipc427e_firmware -
siemens simatic_ipc477e_firmware -
siemens simatic_ipc127e_firmware -
siemens ruggedcom_apr1808_firmware -
siemens simatic_itp1000_firmware -
insyde insydeh2o *
siemens simatic_field_pg_m6_firmware -
siemens simatic_field_pg_m5_firmware -
siemens simatic_ipc677e_firmware -
siemens simatic_ipc627e_firmware -
siemens simatic_ipc847e_firmware -
siemens simatic_ipc277g_firmware -
siemens simatic_ipc647e_firmware -
siemens simatic_ipc227g_firmware -
siemens simatic_ipc327g_firmware -
CVE-2020-5953 MEDIUM

A vulnerability exists in System Management Interrupt (SWSMI) handler of InsydeH2O UEFI Firmware code located in SWSMI handler that dereferences gRT (EFI_RUNTIME_SERVICES) pointer to call a GetVariable service, which is located outside of SMRAM. This can result in code execution in SMM (escalating privilege from ring 0 to ring -2).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H 0.8 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
siemens simatic_ipc377g_firmware -
siemens simatic_ipc477e_pro_firmware -
siemens simatic_ipc427e_firmware -
siemens simatic_ipc477e_firmware -
siemens simatic_ipc127e_firmware -
insyde insydeh2o 5.23.04.0045
insyde insydeh2o 5.42.03.0010
siemens simatic_itp1000_firmware -
insyde insydeh2o 5.12.09.0074
insyde insydeh2o 5.33.15.0034
siemens simatic_field_pg_m6_firmware -
siemens simatic_field_pg_m5_firmware -
siemens simatic_ipc677e_firmware -
siemens simatic_ipc627e_firmware -
siemens simatic_ipc847e_firmware -
siemens simatic_ipc277g_firmware -
insyde insydeh2o 5.23.45.0023
siemens simatic_ipc647e_firmware -
siemens simatic_ipc227g_firmware -
insyde insydeh2o 5.34.03.0029
siemens simatic_ipc327g_firmware -
siemens ruggedcom_ape1808_firmware -
CVE-2020-5955 HIGH

An issue was discovered in Int15MicrocodeSmm in Insyde InsydeH2O before 2021-10-14 on Intel client chipsets. A caller may be able to escalate privileges.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
insyde insydeh2o_uefi_bios *
CVE-2020-5956 MEDIUM

An issue was discovered in SdLegacySmm in Insyde InsydeH2O with kernel 5.1 before 05.15.11, 5.2 before 05.25.11, 5.3 before 05.34.11, and 5.4 before 05.42.11. The software SMI handler allows untrusted external input because it does not verify CommBuffer.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
insyde insydeh2o *
CVE-2021-33625 MEDIUM

An issue was discovered in Kernel 5.x in Insyde InsydeH2O, affecting HddPassword. Software SMI services that use the Communicate() function of the EFI_SMM_COMMUNICATION_PROTOCOL do not check whether the address of the buffer is valid, which allows use of SMRAM, MMIO, or OS kernel addresses.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H 0.8 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
siemens simatic_ipc377g_firmware -
siemens simatic_ipc477e_pro_firmware -
siemens simatic_ipc427e_firmware -
siemens simatic_ipc477e_firmware -
siemens simatic_ipc127e_firmware -
netapp fas/aff_bios -
siemens simatic_itp1000_firmware -
insyde insydeh2o *
siemens simatic_field_pg_m6_firmware -
siemens simatic_field_pg_m5_firmware -
siemens simatic_ipc677e_firmware -
siemens simatic_ipc627e_firmware -
siemens simatic_ipc847e_firmware -
siemens simatic_ipc277g_firmware -
siemens simatic_ipc647e_firmware -
siemens simatic_ipc227g_firmware -
siemens simatic_ipc327g_firmware -
siemens ruggedcom_ape1808_firmware -
CVE-2021-33626 MEDIUM

A vulnerability exists in SMM (System Management Mode) branch that registers a SWSMI handler that does not sufficiently check or validate the allocated buffer pointer(QWORD values for CommBuffer). This can be used by an attacker to corrupt data in SMRAM memory and even lead to arbitrary code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-829,

Products Affected

Vendor Product Version
siemens simatic_ipc377g_firmware -
siemens simatic_ipc477e_pro_firmware -
siemens simatic_ipc427e_firmware -
siemens simatic_ipc477e_firmware -
siemens simatic_ipc127e_firmware -
siemens ruggedcom_apr1808_firmware -
siemens simatic_itp1000_firmware -
insyde insydeh2o *
siemens simatic_field_pg_m6_firmware -
siemens simatic_field_pg_m5_firmware -
siemens simatic_ipc677e_firmware -
siemens simatic_ipc627e_firmware -
siemens simatic_ipc847e_firmware -
siemens simatic_ipc277g_firmware -
siemens simatic_ipc647e_firmware -
siemens simatic_ipc227g_firmware -
siemens simatic_ipc327g_firmware -
CVE-2021-33627 HIGH

An issue was discovered in Insyde InsydeH2O Kernel 5.0 before 05.09.11, 5.1 before 05.17.11, 5.2 before 05.27.11, 5.3 before 05.36.11, 5.4 before 05.44.11, and 5.5 before 05.52.11 affecting FwBlockServiceSmm. Software SMI services that use the Communicate() function of the EFI_SMM_COMMUNICATION_PROTOCOL do not check whether the address of the buffer is valid, which allows use of SMRAM, MMIO, or OS kernel addresses.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 1.5 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
siemens simatic_itp1000_firmware *
siemens simatic_ipc227g_firmware *
siemens simatic_ipc847e_firmware *
siemens simatic_field_pg_m5_firmware *
siemens simatic_ipc477e_firmware *
siemens simatic_ipc647e_firmware *
siemens simatic_ipc377g_firmware *
siemens simatic_ipc627e_firmware *
insyde insydeh2o *
siemens simatic_ipc427e_firmware *
siemens simatic_ipc677e_firmware *
siemens simatic_field_pg_m6_firmware *
siemens simatic_ipc277g_firmware *
siemens simatic_ipc327g_firmware *
siemens simatic_ipc127e_firmware *
CVE-2021-33834

An issue was discovered in iscflashx64.sys 3.9.3.0 in Insyde H2OFFT 6.20.00. When handling IOCTL 0x22229a, the input used to allocate a buffer and copy memory is mishandled. This could cause memory corruption or a system crash.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H 1.8 5.2

Products Affected

Vendor Product Version
insyde h2offt 6.20.00
insyde iscflashx64.sys 3.9.3.0
CVE-2021-38575 MEDIUM

NetworkPkg/IScsiDxe has remotely exploitable buffer overflows.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-124,CWE-119,

Products Affected

Vendor Product Version
insyde kernel 5.0
tianocore edk2 *
insyde kernel 5.5
insyde kernel 5.3
insyde kernel 5.4
insyde kernel 5.1
insyde kernel 5.2
CVE-2021-38578 HIGH

Existing CommBuffer checks in SmmEntryPoint will not catch underflow when computing BufferSize.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-124,CWE-787,

Products Affected

Vendor Product Version
insyde kernel 5.0
tianocore edk2 *
insyde kernel 5.5
insyde kernel 5.3
insyde kernel 5.4
insyde kernel 5.1
insyde kernel 5.2
CVE-2021-41837 HIGH

An issue was discovered in AhciBusDxe in the kernel 5.0 through 5.5 in Insyde InsydeH2O. Because of an Untrusted Pointer Dereference that causes SMM memory corruption, an attacker may be able to write fixed or predictable data to SMRAM. Exploiting this issue could lead to escalating privileges to SMM.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 1.5 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
siemens simatic_itp1000_firmware *
siemens simatic_ipc227g_firmware *
siemens simatic_ipc847e_firmware *
siemens simatic_field_pg_m5_firmware *
siemens simatic_ipc477e_firmware *
siemens simatic_ipc647e_firmware *
siemens simatic_ipc377g_firmware *
siemens simatic_ipc627e_firmware *
insyde insydeh2o *
siemens simatic_ipc427e_firmware *
siemens simatic_ipc677e_firmware *
siemens simatic_field_pg_m6_firmware *
siemens simatic_ipc277g_firmware *
siemens simatic_ipc327g_firmware *
siemens simatic_ipc127e_firmware *
CVE-2021-41838 HIGH

An issue was discovered in SdHostDriver in the kernel 5.0 through 5.5 in Insyde InsydeH2O. There is an SMM callout that allows an attacker to access the System Management Mode and execute arbitrary code. This occurs because of a Numeric Range Comparison Without a Minimum Check.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 1.5 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
siemens simatic_itp1000_firmware *
siemens simatic_ipc227g_firmware *
siemens simatic_ipc847e_firmware *
siemens simatic_field_pg_m5_firmware *
siemens simatic_ipc477e_firmware *
siemens simatic_ipc647e_firmware *
siemens simatic_ipc377g_firmware *
siemens simatic_ipc627e_firmware *
insyde insydeh2o *
siemens simatic_ipc427e_firmware *
siemens simatic_ipc677e_firmware *
siemens simatic_field_pg_m6_firmware *
siemens simatic_ipc277g_firmware *
siemens simatic_ipc327g_firmware *
siemens simatic_ipc127e_firmware *
CVE-2021-41839 MEDIUM

An issue was discovered in NvmExpressDxe in the kernel 5.0 through 5.5 in Insyde InsydeH2O. Because of an Untrusted Pointer Dereference that causes SMM memory corruption, an attacker may be able to write fixed or predictable data to SMRAM. Exploiting this issue could lead to escalating privileges to SMM.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 1.5 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
insyde insydeh2o *
CVE-2021-41840 HIGH

An issue was discovered in NvmExpressDxe in the kernel 5.0 through 5.5 in Insyde InsydeH2O. There is an SMM callout that allows an attacker to access the System Management Mode and execute arbitrary code. This occurs because of Inclusion of Functionality from an Untrusted Control Sphere.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 1.5 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-770,

Products Affected

Vendor Product Version
insyde insydeh2o *
CVE-2021-41841 HIGH

An issue was discovered in AhciBusDxe in the kernel 5.0 through 5.5 in Insyde InsydeH2O. There is an SMM callout that allows an attacker to access the System Management Mode and execute arbitrary code. This occurs because of Inclusion of Functionality from an Untrusted Control Sphere.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 1.5 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-829,

Products Affected

Vendor Product Version
insyde insydeh2o *
CVE-2021-41842 HIGH

An issue was discovered in AtaLegacySmm in the kernel 5.0 before 05.08.46, 5.1 before 05.16.46, 5.2 before 05.26.46, 5.3 before 05.35.46, 5.4 before 05.43.46, and 5.5 before 05.51.45 in Insyde InsydeH2O. Code execution can occur because the SMI handler lacks a CommBuffer check.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
insyde insydeh2o *
CVE-2021-42059 HIGH

An issue was discovered in Insyde InsydeH2O Kernel 5.0 before 05.08.41, Kernel 5.1 before 05.16.41, Kernel 5.2 before 05.26.41, Kernel 5.3 before 05.35.41, and Kernel 5.4 before 05.42.20. A stack-based buffer overflow leads toarbitrary code execution in UEFI DisplayTypeDxe DXE driver.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
siemens simatic_itp1000_firmware *
siemens simatic_ipc227g_firmware *
siemens simatic_ipc847e_firmware *
siemens simatic_field_pg_m5_firmware *
siemens simatic_ipc477e_firmware *
siemens simatic_ipc647e_firmware *
siemens simatic_ipc377g_firmware *
siemens simatic_ipc627e_firmware *
insyde insydeh2o *
siemens simatic_ipc427e_firmware *
siemens simatic_ipc677e_firmware *
siemens simatic_field_pg_m6_firmware *
siemens simatic_ipc277g_firmware *
siemens simatic_ipc327g_firmware *
siemens simatic_ipc127e_firmware *
CVE-2021-42060 HIGH

An issue was discovered in Insyde InsydeH2O Kernel 5.0 through 05.08.41, Kernel 5.1 through 05.16.41, Kernel 5.2 before 05.23.22, and Kernel 5.3 before 05.32.22. An Int15ServiceSmm SMM callout vulnerability allows an attacker to hijack execution flow of code running in System Management Mode. Exploiting this issue could lead to escalating privileges to SMM.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 1.5 6.0

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
insyde insydeh2o *
CVE-2021-42113 MEDIUM

An issue was discovered in StorageSecurityCommandDxe in Insyde InsydeH2O with Kernel 5.1 before 05.14.28, Kernel 5.2 before 05.24.28, and Kernel 5.3 before 05.32.25. An SMM callout vulnerability allows an attacker to hijack execution flow of code running in System Management Mode. Exploiting this issue could lead to escalating privileges to SMM.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 1.5 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
insyde insydeh2o *
CVE-2021-42554 HIGH

An issue was discovered in Insyde InsydeH2O with Kernel 5.0 before 05.08.42, Kernel 5.1 before 05.16.42, Kernel 5.2 before 05.26.42, Kernel 5.3 before 05.35.42, Kernel 5.4 before 05.42.51, and Kernel 5.5 before 05.50.51. An SMM memory corruption vulnerability in FvbServicesRuntimeDxe allows a possible attacker to write fixed or predictable data to SMRAM. Exploiting this issue could lead to escalating privileges to SMM.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 1.5 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
siemens simatic_itp1000_firmware *
siemens simatic_ipc227g_firmware *
siemens simatic_ipc847e_firmware *
siemens simatic_field_pg_m5_firmware *
siemens simatic_ipc477e_firmware *
siemens simatic_ipc647e_firmware *
siemens simatic_ipc377g_firmware *
siemens simatic_ipc627e_firmware *
insyde insydeh2o *
siemens simatic_ipc427e_firmware *
siemens simatic_ipc677e_firmware *
siemens simatic_field_pg_m6_firmware *
siemens simatic_ipc277g_firmware *
siemens simatic_ipc327g_firmware *
siemens ruggedcom_ape1808_firmware *
siemens simatic_ipc127e_firmware *
CVE-2021-43323 HIGH

An issue was discovered in UsbCoreDxe in Insyde InsydeH2O with kernel 5.5 before 05.51.45, 5.4 before 05.43.45, 5.3 before 05.35.45, 5.2 before 05.26.45, 5.1 before 05.16.45, and 5.0 before 05.08.45. An SMM callout vulnerability allows an attacker to hijack execution flow of code running in System Management Mode. Exploiting this issue could lead to escalating privileges to SMM.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 1.5 6.0

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
insyde insydeh2o *
CVE-2021-43522 MEDIUM

An issue was discovered in Insyde InsydeH2O with kernel 5.1 through 2021-11-08, 5.2 through 2021-11-08, and 5.3 through 2021-11-08. A StorageSecurityCommandDxe SMM memory corruption vulnerability allows an attacker to write fixed or predictable data to SMRAM. Exploiting this issue could lead to escalating privileges to SMM.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H 0.8 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
insyde insydeh2o *
CVE-2021-43615 HIGH

An issue was discovered in HddPassword in Insyde InsydeH2O with kernel 5.1 before 05.16.23, 5.2 before 05.26.23, 5.3 before 05.35.23, 5.4 before 05.43.22, and 5.5 before 05.51.22. An SMM memory corruption vulnerability allows an attacker to write fixed or predictable data to SMRAM. Exploiting this issue could lead to escalating privileges to SMM.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 1.5 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
insyde insydeh2o *
CVE-2021-45969 HIGH

An issue was discovered in AhciBusDxe in Insyde InsydeH2O with kernel 5.1 before 05.16.25, 5.2 before 05.26.25, 5.3 before 05.35.25, 5.4 before 05.43.25, and 5.5 before 05.51.25. A vulnerability exists in the SMM (System Management Mode) branch that registers a SWSMI handler that does not sufficiently check or validate the allocated buffer pointer (the CommBuffer+8 location).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 1.5 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
insyde insydeh2o *
CVE-2021-45970 HIGH

An issue was discovered in IdeBusDxe in Insyde InsydeH2O with kernel 5.1 before 05.16.25, 5.2 before 05.26.25, 5.3 before 05.35.25, 5.4 before 05.43.25, and 5.5 before 05.51.25. A vulnerability exists in the SMM (System Management Mode) branch that registers a SWSMI handler that does not sufficiently check or validate the allocated buffer pointer (the status code saved at the CommBuffer+4 location).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 1.5 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
insyde insydeh2o *
CVE-2021-45971 HIGH

An issue was discovered in SdHostDriver in Insyde InsydeH2O with kernel 5.1 before 05.16.25, 5.2 before 05.26.25, 5.3 before 05.35.25, 5.4 before 05.43.25, and 5.5 before 05.51.25. A vulnerability exists in the SMM (System Management Mode) branch that registers a SWSMI handler that does not sufficiently check or validate the allocated buffer pointer (CommBufferData).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 1.5 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
insyde insydeh2o *
CVE-2022-24030 MEDIUM

An issue was discovered in AhciBusDxe in Insyde InsydeH2O with kernel 5.1 through 5.5. An SMM memory corruption vulnerability allows an attacker to write fixed or predictable data to SMRAM. Exploiting this issue could lead to escalating privileges to SMM.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H 0.8 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
insyde insydeh2o *
CVE-2022-24031 HIGH

An issue was discovered in NvmExpressDxe in Insyde InsydeH2O with kernel 5.1 through 5.5. An SMM memory corruption vulnerability allows an attacker to write fixed or predictable data to SMRAM. Exploiting this issue could lead to escalating privileges to SMM.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 1.5 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
insyde insydeh2o *
CVE-2022-24069 HIGH

An issue was discovered in AhciBusDxe in Insyde InsydeH2O with kernel 5.0 before 05.08.41, 5.1 before 05.16.29, 5.2 before 05.26.29, 5.3 before 05.35.29, 5.4 before 05.43.29, and 5.5 before 05.51.29. An SMM callout vulnerability allows an attacker to hijack the execution flow of code running in System Management Mode. Exploiting this issue could lead to escalating privileges to SMM.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 1.5 6.0

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
insyde insydeh2o *
CVE-2022-24350

An issue was discovered in IhisiSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. IHISI function 0x17 verifies that the output buffer lies within the command buffer but does not verify that output data does not go beyond the end of the command buffer. In particular, the GetFlashTable function is called directly on the Command Buffer before the DataSize is check, leading to possible circumstances where the data immediately following the command buffer could be destroyed before returning a buffer size error.

Products Affected

Vendor Product Version
insyde insydeh2o *
CVE-2022-24351

TOCTOU race-condition vulnerability in Insyde InsydeH2O with Kernel 5.2 before version 05.27.29, Kernel 5.3 before version 05.36.29, Kernel 5.4 version before 05.44.13, and Kernel 5.5 before version 05.52.13 allows an attacker to alter data and code used by the remainder of the boot process.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.7 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N 1.0 3.6

Products Affected

Vendor Product Version
insyde insydeh2o *
CVE-2022-29275

In UsbCoreDxe, untrusted input may allow SMRAM or OS memory tampering Use of untrusted pointers could allow OS or SMRAM memory tampering leading to escalation of privileges. This issue was discovered by Insyde during security review. It was fixed in: Kernel 5.0: version 05.09.21 Kernel 5.1: version 05.17.21 Kernel 5.2: version 05.27.21 Kernel 5.3: version 05.36.21 Kernel 5.4: version 05.44.21 Kernel 5.5: version 05.52.21 https://www.insyde.com/security-pledge/SA-2022058

Products Affected

Vendor Product Version
insyde kernel *
CVE-2022-29276

SMI functions in AhciBusDxe use untrusted inputs leading to corruption of SMRAM. SMI functions in AhciBusDxe use untrusted inputs leading to corruption of SMRAM. This issue was discovered by Insyde during security review. It was fixed in: Kernel 5.0: version 05.09.18 Kernel 5.1: version 05.17.18 Kernel 5.2: version 05.27.18 Kernel 5.3: version 05.36.18 Kernel 5.4: version 05.44.18 Kernel 5.5: version 05.52.18 https://www.insyde.com/security-pledge/SA-2022059

Products Affected

Vendor Product Version
insyde kernel *
CVE-2022-29278

Incorrect pointer checks within the NvmExpressDxe driver can allow tampering with SMRAM and OS memory Incorrect pointer checks within the NvmExpressDxe driver can allow tampering with SMRAM and OS memory. This issue was discovered by Insyde during security review. Fixed in: Kernel 5.1: Version 05.17.23 Kernel 5.2: Version 05.27.23 Kernel 5.3: Version 05.36.23 Kernel 5.4: Version 05.44.23 Kernel 5.5: Version 05.52.23 https://www.insyde.com/security-pledge/SA-2022061

Products Affected

Vendor Product Version
insyde kernel *
CVE-2022-29279

Use of a untrusted pointer allows tampering with SMRAM and OS memory in SdHostDriver and SdMmcDevice Use of a untrusted pointer allows tampering with SMRAM and OS memory in SdHostDriver and SdMmcDevice. This issue was discovered by Insyde during security review. It was fixed in: Kernel 5.0: version 05.09.17 Kernel 5.1: version 05.17.17 Kernel 5.2: version 05.27.17 Kernel 5.3: version 05.36.17 Kernel 5.4: version 05.44.17 Kernel 5.5: version 05.52.17 https://www.insyde.com/security-pledge/SA-2022062

Products Affected

Vendor Product Version
insyde kernel *
CVE-2022-30283

In UsbCoreDxe, tampering with the contents of the USB working buffer using DMA while certain USB transactions are in process leads to a TOCTOU problem that could be used by an attacker to cause SMRAM corruption and escalation of privileges The UsbCoreDxe module creates a working buffer for USB transactions outside of SMRAM. The code which uses can be inside of SMM, making the working buffer untrusted input. The buffer can be corrupted by DMA transfers. The SMM code code attempts to sanitize pointers to ensure all pointers refer to the working buffer, but when a pointer is not found in the list of pointers to sanitize, the current action is not aborted, leading to undefined behavior. This issue was discovered by Insyde engineering based on the general description provided by Intel's iSTARE group. Fixed in: Kernel 5.0: Version 05.09. 21 Kernel 5.1: Version 05.17.21 Kernel 5.2: Version 05.27.21 Kernel 5.3: Version 05.36.21 Kernel 5.4: Version 05.44.21 Kernel 5.5: Version 05.52.21 https://www.insyde.com/security-pledge/SA-2022063

Products Affected

Vendor Product Version
insyde kernel *
CVE-2022-30771

Initialization function in PnpSmm could lead to SMRAM corruption when using subsequent PNP SMI functions Initialization function in PnpSmm could lead to SMRAM corruption when using subsequent PNP SMI functions. This issue was discovered by Insyde engineering during a security review. Fixed in: Kernel 5.1: Version 05.17.25 Kernel 5.2: Version 05.27.25 Kernel 5.3: Version 05.36.25 Kernel 5.4: Version 05.44.25 Kernel 5.5: Version 05.52.25 https://www.insyde.com/security-pledge/SA-2022064

Products Affected

Vendor Product Version
insyde kernel *
CVE-2022-30772

Manipulation of the input address in PnpSmm function 0x52 could be used by malware to overwrite SMRAM or OS kernel memory. Function 0x52 of the PnpSmm driver is passed the address and size of data to write into the SMBIOS table, but manipulation of the address could be used by malware to overwrite SMRAM or OS kernel memory. This issue was discovered by Insyde engineering during a security review. This issue is fixed in: Kernel 5.0: 05.09.41 Kernel 5.1: 05.17.43 Kernel 5.2: 05.27.30 Kernel 5.3: 05.36.30 Kernel 5.4: 05.44.30 Kernel 5.5: 05.52.30 https://www.insyde.com/security-pledge/SA-2022065

Products Affected

Vendor Product Version
insyde kernel *
CVE-2022-30773

DMA attacks on the parameter buffer used by the IhisiSmm driver could change the contents after parameter values have been checked but before they are used (a TOCTOU attack). DMA attacks on the parameter buffer used by the IhisiSmm driver could change the contents after parameter values have been checked but before they are used (a TOCTOU attack). This issue was discovered by Insyde engineering. This issue is fixed in Kernel 5.4: 05.44.23 and Kernel 5.5: 05.52.23. CWE-367

Products Affected

Vendor Product Version
insyde kernel *
CVE-2022-30774

DMA attacks on the parameter buffer used by the PnpSmm driver could change the contents after parameter values have been checked but before they are used (a TOCTOU attack) DMA attacks on the parameter buffer used by the PnpSmm driver could change the contents after parameter values have been checked but before they are used (a TOCTOU attack) . This issue was discovered by Insyde engineering during a security review. This iss was fixed in Kernel 5.2: 05.27.29, Kernel 5.3: 05.36.25, Kernel 5.4: 05.44.25, Kernel 5.5: 05.52.25. CWE-367 https://www.insyde.com/security-pledge/SA-2022043

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.4 MEDIUM CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H 0.5 5.9

Products Affected

Vendor Product Version
insyde kernel *
CVE-2022-31243

Update description and links DMA transactions which are targeted at input buffers used for the software SMI handler used by the FvbServicesRuntimeDxe driver could cause SMRAM corruption through a TOCTOU attack.. "DMA transactions which are targeted at input buffers used for the software SMI handler used by the FvbServicesRuntimeDxe driver could cause SMRAM corruption. This issue was discovered by Insyde engineering based on the general description provided by Intel's iSTARE group. Fixed in Kernel 5.2: 05.27.21. Kernel 5.3: 05.36.21. Kernel 5.4: 05.44.21. Kernel 5.5: 05.52.21 https://www.insyde.com/security-pledge/SA-2022044

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.4 MEDIUM CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H 0.5 5.9

Products Affected

Vendor Product Version
insyde kernel *
CVE-2022-32266

DMA attacks on the parameter buffer used by a software SMI handler used by the driver PcdSmmDxe could lead to a TOCTOU attack on the SMI handler and lead to corruption of other ACPI fields and adjacent memory fields. DMA attacks on the parameter buffer used by a software SMI handler used by the driver PcdSmmDxe could lead to a TOCTOU attack on the SMI handler and lead to corruption of other ACPI fields and adjacent memory fields. The attack would require detailed knowledge of the PCD database contents on the current platform. This issue was discovered by Insyde engineering during a security review. This issue is fixed in Kernel 5.3: 05.36.23, Kernel 5.4: 05.44.23, Kernel 5.5: 05.52.23. Kernel 5.2 is unaffected. CWE-787 An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the parameter buffer that is used by a software SMI handler (used by the PcdSmmDxe driver) could lead to a TOCTOU race-condition attack on the SMI handler, and lead to corruption of other ACPI fields and adjacent memory fields. The attack would require detailed knowledge of the PCD database contents on the current platform.

Products Affected

Vendor Product Version
insyde kernel *
CVE-2022-32267

DMA transactions which are targeted at input buffers used for the SmmResourceCheckDxe software SMI handler cause SMRAM corruption (a TOCTOU attack) DMA transactions which are targeted at input buffers used for the software SMI handler used by the SmmResourceCheckDxe driver could cause SMRAM corruption through a TOCTOU attack... This issue was discovered by Insyde engineering. Fixed in kernel Kernel 5.2: 05.27.23. Kernel 5.3: 05.36.23. Kernel 5.4: 05.44.23. Kernel 5.5: 05.52.23 https://www.insyde.com/security-pledge/SA-2022046

Products Affected

Vendor Product Version
insyde kernel *
CVE-2022-32469

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the PnpSmm shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the firmware block services data to SMRAM before checking it.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

Products Affected

Vendor Product Version
insyde insydeh2o *
CVE-2022-32470

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the FwBlockServiceSmm shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the firmware block services data to SMRAM before checking it.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

Products Affected

Vendor Product Version
insyde insydeh2o *
CVE-2022-32471

An issue was discovered in IhisiSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. The IhisiDxe driver uses the command buffer to pass input and output data. By modifying the command buffer contents with DMA after the input parameters have been checked but before they are used, the IHISI SMM code may be convinced to modify SMRAM or OS, leading to possible data corruption or escalation of privileges.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

Products Affected

Vendor Product Version
insyde insydeh2o *
CVE-2022-32473

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the HddPassword shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the firmware block services data to SMRAM before checking it.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

Products Affected

Vendor Product Version
insyde insydeh2o *
CVE-2022-32474

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the StorageSecurityCommandDxe shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the firmware block services data to SMRAM before checking it.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

Products Affected

Vendor Product Version
insyde insydeh2o *
CVE-2022-32475

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the VariableRuntimeDxe shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This issue was fixed in the kernel, which also protected chipset and OEM chipset code.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

Products Affected

Vendor Product Version
insyde insydeh2o *
CVE-2022-32476

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the AhciBusDxe shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the firmware block services data to SMRAM before checking it.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

Products Affected

Vendor Product Version
insyde insydeh2o *
CVE-2022-32477

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the FvbServicesRuntimeDxe shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the firmware block services data to SMRAM before checking it.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

Products Affected

Vendor Product Version
insyde insydeh2o *
CVE-2022-32478

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the IdeBusDxe shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the firmware block services data to SMRAM before checking it.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

Products Affected

Vendor Product Version
insyde insydeh2o *
CVE-2022-32953

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the SdHostDriver buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated by using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the link data to SMRAM before checking it and verifying that all pointers are within the buffer.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

Products Affected

Vendor Product Version
insyde insydeh2o *
CVE-2022-32954

An issue was discovered in Insyde InsydeH2O with kernel 5.1 through 5.5. DMA attacks on the SdMmcDevice buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated by using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the link data to SMRAM before checking it and verifying that all pointers are within the buffer.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

Products Affected

Vendor Product Version
insyde insydeh2o *
CVE-2022-32955

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the NvmExpressDxe buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated by using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the link data to SMRAM before checking it and verifying that all pointers are within the buffer.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

Products Affected

Vendor Product Version
insyde insydeh2o *
CVE-2022-33905

DMA transactions which are targeted at input buffers used for the AhciBusDxe software SMI handler could cause SMRAM corruption (a TOCTOU attack). DMA transactions which are targeted at input buffers used for the software SMI handler used by the AhciBusDxe driver could cause SMRAM corruption through a TOCTOU attack. This issue was discovered by Insyde engineering based on the general description provided by Intel's iSTARE group, Fixed in kernel 5.2: 05.27.23, kernel 5.3: 05.36.23, kernel 5.4: 05.44.23, kernel 5.5: 05.52.23 https://www.insyde.com/security-pledge/SA-2022047

Products Affected

Vendor Product Version
insyde kernel *
CVE-2022-33906

DMA transactions which are targeted at input buffers used for the FwBlockServiceSmm software SMI handler could cause SMRAM corruption through a TOCTOU attack. DMA transactions which are targeted at input buffers used for the software SMI handler used by the FwBlockServiceSmm driver could cause SMRAM corruption through a TOCTOU attack. This issue was discovered by Insyde engineering based on the general description provided by Intel's iSTARE group. Fixed in kernel 5.2: 05.27.23, 5.3: 05.36.23, 5.4: 05.44.23, 5.5: 05.52.23 https://www.insyde.com/security-pledge/SA-2022048

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.4 MEDIUM CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H 0.5 5.9

Products Affected

Vendor Product Version
insyde kernel *
CVE-2022-33907

DMA transactions which are targeted at input buffers used for the software SMI handler used by the IdeBusDxe driver could cause SMRAM corruption through a TOCTOU attack... DMA transactions which are targeted at input buffers used for the software SMI handler used by the IdeBusDxe driver could cause SMRAM corruption through a TOCTOU attack. This issue was discovered by Insyde engineering based on the general description provided by Intel's iSTARE group. Fixed in kernel 5.2: 05.27.25, kernel 5.3: 05.36.25, kernel 5.4: 05.44.25 https://www.insyde.com/security-pledge/SA-2022049

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.4 MEDIUM CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H 0.5 5.9

Products Affected

Vendor Product Version
insyde kernel *
CVE-2022-33908

DMA transactions which are targeted at input buffers used for the SdHostDriver software SMI handler could cause SMRAM corruption through a TOCTOU attack. DMA transactions which are targeted at input buffers used for the software SMI handler used by the SdHostDriver driver could cause SMRAM corruption through a TOCTOU attack. This issue was discovered by Insyde engineering based on the general description provided by Intel's iSTARE group. Fixed in kernel 5.2: 05.27.25, kernel 5.3: 05.36.25, kernel 5.4: 05.44.25, kernel 5.5: 05.52.25 https://www.insyde.com/security-pledge/SA-2022050

Products Affected

Vendor Product Version
insyde kernel *
CVE-2022-33909

DMA transactions which are targeted at input buffers used for the HddPassword software SMI handler could cause SMRAM corruption through a TOCTOU attack. DMA transactions which are targeted at input buffers used for the software SMI handler used by the HddPassword driver could cause SMRAM corruption through a TOCTOU attack..This issue was discovered by Insyde engineering based on the general description provided by Intel's iSTARE group. Fixed in kernel Kernel 5.2: 05.27.23, Kernel 5.3: 05.36.23, Kernel 5.4: 05.44.23, Kernel 5.5: 05.52.23 https://www.insyde.com/security-pledge/SA-2022051

Products Affected

Vendor Product Version
insyde kernel *
CVE-2022-33982

DMA attacks on the parameter buffer used by the Int15ServiceSmm software SMI handler could lead to a TOCTOU attack on the SMI handler and lead to corruption of SMRAM. DMA attacks on the parameter buffer used by the software SMI handler used by the driver Int15ServiceSmm could lead to a TOCTOU attack on the SMI handler and lead to corruption of SMRAM. This issue was discovered by Insyde engineering during a security review. This issue is fixed in Kernel 5.2: 05.27.23, Kernel 5.3: 05.36.23, Kernel 5.4: 05.44.23 and Kernel 5.5: 05.52.23 CWE-367

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.4 MEDIUM CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H 0.5 5.9

Products Affected

Vendor Product Version
insyde kernel *
CVE-2022-33983

DMA transactions which are targeted at input buffers used for the NvmExpressLegacy software SMI handler could cause SMRAM corruption through a TOCTOU attack. DMA transactions which are targeted at input buffers used for the software SMI handler used by the NvmExpressLegacy driver could cause SMRAM corruption through a TOCTOU attack. This issue was discovered by Insyde engineering based on the general description provided by Intel's iSTARE group. This issue was fixed in kernel 5.2: 05.27.25, kernel 5.3: 05.36.25, kernel 5.4: 05.44.25, kernel 5.5: 05.52.25 https://www.insyde.com/security-pledge/SA-2022053

Products Affected

Vendor Product Version
insyde kernel *
CVE-2022-33984

DMA transactions which are targeted at input buffers used for the SdMmcDevice software SMI handler could cause SMRAM corruption through a TOCTOU attack. DMA transactions which are targeted at input buffers used for the software SMI handler used by the SdMmcDevice driver could cause SMRAM corruption through a TOCTOU attack. This issue was discovered by Insyde engineering based on the general description provided by Intel's iSTARE group. This was fixed in kernel 5.2: 05.27.25, kernel 5.3: 05.36.25, kernel 5.4: 05.44.25, kernel 5.5: 05.52.25 https://www.insyde.com/security-pledge/SA-2022054

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

Products Affected

Vendor Product Version
insyde kernel *
CVE-2022-33985

DMA transactions which are targeted at input buffers used for the NvmExpressDxe software SMI handler could cause SMRAM corruption through a TOCTOU attack. DMA transactions which are targeted at input buffers used for the software SMI handler used by the NvmExpressDxe driver could cause SMRAM corruption through a TOCTOU attack. This issue was discovered by Insyde engineering based on the general description provided by Intel's iSTARE group. This issue was fixed in kernel 5.2: 05.27.25, kernel 5.3: 05.36.25, kernel 5.4: 05.44.25, kernel 5.5: 05.52.25 https://www.insyde.com/security-pledge/SA-2022055

Products Affected

Vendor Product Version
insyde kernel *
CVE-2022-33986

DMA attacks on the parameter buffer used by the VariableRuntimeDxe software SMI handler could lead to a TOCTOU attack. DMA attacks on the parameter buffer used by the software SMI handler used by the driver VariableRuntimeDxe could lead to a TOCTOU attack on the SMI handler and lead to corruption of SMRAM. This issue was discovered by Insyde engineering during a security review. This issue is fixed in Kernel 5.4: 05.44.23 and Kernel 5.5: 05.52.23. CWE-367 CWE-367 Report at: https://www.insyde.com/security-pledge/SA-2022056

Products Affected

Vendor Product Version
insyde kernel *
CVE-2022-34325

DMA transactions which are targeted at input buffers used for the StorageSecurityCommandDxe software SMI handler could cause SMRAM corruption through a TOCTOU attack. DMA transactions which are targeted at input buffers used for the software SMI handler used by the StorageSecurityCommandDxe driver could cause SMRAM corruption. This issue was discovered by Insyde engineering based on the general description provided by

Products Affected

Vendor Product Version
insyde insydeh2o *
CVE-2022-35407

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. A stack buffer overflow leads to arbitrary code execution in the SetupUtility driver on Intel platforms. An attacker can change the values of certain UEFI variables. If the size of the second variable exceeds the size of the first, then the buffer will be overwritten. This issue affects the SetupUtility driver of InsydeH2O.

Products Affected

Vendor Product Version
insyde kernel *
CVE-2022-35408

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. An SMM callout vulnerability in the SMM driver in UsbLegacyControlSmm leads to possible arbitrary code execution in SMM and escalation of privileges. An attacker could overwrite the function pointers in the EFI_BOOT_SERVICES table before the USB SMI handler triggers. (This is not exploitable from code running in the operating system.)

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 1.5 6.0

Products Affected

Vendor Product Version
insyde insydeh2o *
CVE-2022-35893

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. An SMM memory corruption vulnerability in the FvbServicesRuntimeDxe driver allows an attacker to write fixed or predictable data to SMRAM. Exploiting this issue could lead to escalating privileges to SMM.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 1.5 6.0

Products Affected

Vendor Product Version
insyde insydeh2o *
CVE-2022-35894

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. The SMI handler for the FwBlockServiceSmm driver uses an untrusted pointer as the location to copy data to an attacker-specified buffer, leading to information disclosure.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N 1.5 4.0

Products Affected

Vendor Product Version
insyde insydeh2o *
CVE-2022-35895

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. The FwBlockSericceSmm driver does not properly validate input parameters for a software SMI routine, leading to memory corruption of arbitrary addresses including SMRAM, and possible arbitrary code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 1.5 6.0

Products Affected

Vendor Product Version
insyde insydeh2o *
CVE-2022-35896

An issue SMM memory leak vulnerability in SMM driver (SMRAM was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. An attacker can dump SMRAM contents via the software SMI provided by the FvbServicesRuntimeDxe driver to read the contents of SMRAM, leading to information disclosure.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N 1.5 4.0

Products Affected

Vendor Product Version
insyde insydeh2o *
CVE-2022-35897

An stack buffer overflow vulnerability leads to arbitrary code execution issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. If the attacker modifies specific UEFI variables, it can cause a stack overflow, leading to arbitrary code execution. The specific variables are normally locked (read-only) at the OS level and therefore an attack would require direct SPI modification. If an attacker can change the values of at least two variables out of three (SecureBootEnforce, SecureBoot, RestoreBootSettings), it is possible to execute arbitrary code.

Products Affected

Vendor Product Version
insyde kernel *
CVE-2022-36337

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. A stack buffer overflow vulnerability in the MebxConfiguration driver leads to arbitrary code execution. Control of a UEFI variable under the OS can cause this overflow when read by BIOS code.

Products Affected

Vendor Product Version
insyde kernel *
CVE-2022-36338

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. An SMM callout vulnerability in the SMM driver FwBlockServiceSmm, creating SMM, leads to arbitrary code execution. An attacker can replace the pointer to the UEFI boot service GetVariable with a pointer to malware, and then generate a software SMI.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 1.5 6.0

Products Affected

Vendor Product Version
insyde insydeh2o *
CVE-2022-36448

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. There is an SMM memory corruption vulnerability in the Software SMI handler in the PnpSmm driver.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 1.5 6.0

Products Affected

Vendor Product Version
insyde insydeh2o *
CVE-2022-46897

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. The CapsuleIFWUSmm driver does not check the return value from a method or function. This can prevent it from detecting unexpected states and conditions.

Products Affected

Vendor Product Version
insyde kernel *
CVE-2023-22612

An issue was discovered in IhisiSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. A malicious host OS can invoke an Insyde SMI handler with malformed arguments, resulting in memory corruption in SMM.

Products Affected

Vendor Product Version
insyde insydeh2o 05.53.01
insyde insydeh2o 05.28.03
insyde insydeh2o 05.0a.11
insyde insydeh2o 05.37.03
insyde insydeh2o 05.45.01
insyde insydeh2o 05.18.03
CVE-2023-22613

An issue was discovered in IhisiSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. It is possible to write to an attacker-controlled address. An attacker could invoke an SMI handler with a malformed pointer in RCX that overlaps SMRAM, resulting in SMM memory corruption.

Products Affected

Vendor Product Version
insyde insydeh2o 05.36.37
insyde insydeh2o 05.44.45
insyde insydeh2o 05.52.45
insyde insydeh2o 05.27.37
CVE-2023-22614

An issue was discovered in ChipsetSvcSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. There is insufficient input validation in BIOS Guard updates. An attacker can induce memory corruption in SMM by supplying malformed inputs to the BIOS Guard SMI handler.

Products Affected

Vendor Product Version
insyde insydeh2o 05.43.12.0056
insyde insydeh2o 05.42.52.0026
insyde insydeh2o 05.43.01.0026
insyde insydeh2o 05.44.34.0054
insyde insydeh2o 05.44.45.0015
insyde insydeh2o 05.44.45.0028
CVE-2023-22615

An issue was discovered in IhisiSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. IHISI subfunction execution may corrupt SMRAM. An attacker can pass an address in the RCX save state register that overlaps SMRAM, thereby coercing an IHISI subfunction handler to overwrite private SMRAM.

Products Affected

Vendor Product Version
insyde insydeh2o 05.53.01
insyde insydeh2o 05.37.03
insyde insydeh2o 05.45.01
CVE-2023-22616

An issue was discovered in Insyde InsydeH2O with kernel 5.2 through 5.5. The Save State register is not checked before use. The IhisiSmm driver does not check the value of a save state register before use. Due to insufficient input validation, an attacker can corrupt SMRAM.

Products Affected

Vendor Product Version
insyde insydeh2o *
CVE-2023-25600

An issue was discovered in InsydeH2O. A malicious operating system can tamper with a runtime-writable EFI variable, leading to out-of-bounds memory reads and a denial of service. This is fixed in version 01.01.04.0016.

Products Affected

Vendor Product Version
insyde insydecrpkg *
CVE-2023-27373

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. Due to insufficient input validation, an attacker can tamper with a runtime-accessible EFI variable to cause a dynamic BAR setting to overlap SMRAM.

Products Affected

Vendor Product Version
insyde insydeh2o 5.3
insyde insydeh2o 5.0
insyde insydeh2o 5.5
insyde insydeh2o 5.1
insyde insydeh2o 5.2
insyde insydeh2o 5.4
CVE-2023-27471

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. UEFI implementations do not correctly protect and validate information contained in the 'MeSetup' UEFI variable. On some systems, this variable can be overwritten using operating system APIs. Exploitation of this vulnerability could potentially lead to denial of service for the platform.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

Products Affected

Vendor Product Version
insyde insydeh2o 5.3
insyde insydeh2o 5.0
insyde insydeh2o 5.5
insyde insydeh2o 5.1
insyde insydeh2o 5.2
insyde insydeh2o 5.4
CVE-2023-28468

An issue was discovered in FvbServicesRuntimeDxe in Insyde InsydeH2O with kernel 5.0 through 5.5. The FvbServicesRuntimeDxe SMM module exposes an SMI handler that allows an attacker to interact with the SPI flash at run-time from the OS.

Products Affected

Vendor Product Version
insyde kernel *
CVE-2023-30633

An issue was discovered in TrEEConfigDriver in Insyde InsydeH2O with kernel 5.0 through 5.5. It can report false TPM PCR values, and thus mask malware activity. Devices use Platform Configuration Registers (PCRs) to record information about device and software configuration to ensure that the boot process is secure. (For example, Windows uses these PCR measurements to determine device health.) A vulnerable device can masquerade as a healthy device by extending arbitrary values into Platform Configuration Register (PCR) banks. This requires physical access to a target victim's device, or compromise of user credentials for a device. This issue is similar to CVE-2021-42299 (on Surface Pro devices).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N 0.9 4.0

Products Affected

Vendor Product Version
insyde insydeh2o 5.2
insyde insydeh2o *
CVE-2023-31041

An issue was discovered in SysPasswordDxe in Insyde InsydeH2O with kernel 5.0 through 5.5. System password information could optionally be stored in cleartext, which might lead to possible information disclosure.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
insyde insydeh2o 5.3
insyde insydeh2o 5.0
insyde insydeh2o 5.5
insyde insydeh2o 5.1
insyde insydeh2o 5.2
insyde insydeh2o 5.4
CVE-2023-34195

An issue was discovered in SystemFirmwareManagementRuntimeDxe in Insyde InsydeH2O with kernel 5.0 through 5.5. The implementation of the GetImage method retrieves the value of a runtime variable named GetImageProgress, and later uses this value as a function pointer. This variable is wiped out by the same module near the end of the function. By setting this UEFI variable from the OS to point into custom code, an attacker could achieve arbitrary code execution in the DXE phase, before several chipset locks are set.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
insyde insydeh2o *
CVE-2023-39281

A stack buffer overflow vulnerability discovered in AsfSecureBootDxe in Insyde InsydeH2O with kernel 5.0 through 5.5 allows attackers to run arbitrary code execution during the DXE phase.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
insyde insydeh2o 05.53.23.0011
insyde insydeh2o 05.45.24.0039
insyde insydeh2o 05.45.38.0005
insyde insydeh2o 05.44.34.0055
insyde insydeh2o 05.42.37.0031
insyde insydeh2o 05.53.23.0014
insyde insydeh2o 05.53.28.0013
insyde insydeh2o 05.44.45.0017
insyde insydeh2o 05.43.06.0021
insyde insydeh2o 05.44.30.0022
insyde insydeh2o 05.53.22.0008
CVE-2023-39283

An SMM memory corruption vulnerability in the SMM driver (SMRAM write) in CsmInt10HookSmm in Insyde InsydeH2O with kernel 5.0 through 5.5 allows attackers to send arbitrary data to SMM which could lead to privilege escalation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
insyde insydeh2o 5.5.05.53.22
insyde insydeh2o 5.6.05.60.22
insyde insydeh2o 5.6
insyde insydeh2o *
CVE-2023-39284

An issue was discovered in IhisiServicesSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. There are arbitrary calls to SetVariable with unsanitized arguments in the SMI handler.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N 1.8 3.6

Products Affected

Vendor Product Version
insyde insydeh2o *
CVE-2023-40238

A LogoFAIL issue was discovered in BmpDecoderDxe in Insyde InsydeH2O with kernel 5.2 before 05.28.47, 5.3 before 05.37.47, 5.4 before 05.45.47, 5.5 before 05.53.47, and 5.6 before 05.60.47 for certain Lenovo devices. Image parsing of crafted BMP logo files can copy data to a specific address during the DXE phase of UEFI execution. This occurs because of an integer signedness error involving PixelHeight and PixelWidth during RLE4/RLE8 compression.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6

Products Affected

Vendor Product Version
fujitsu primequest_4400e_firmware *
fujitsu celsius_w5010_firmware *
fujitsu primergy_tx1310_m3_firmware *
fujitsu lifebook_u749_firmware *
fujitsu esprimo_d9012_firmware *
fujitsu primergy_rx2540_m4_firmware *
fujitsu lifebook_u5313x_firmware *
fujitsu lifebook_u9310x_firmware *
fujitsu stylistic_q7312_firmware *
fujitsu primergy_cx2560_m5_firmware *
fujitsu lifebook_u729x_firmware *
fujitsu primergy_rx4770_m6_firmware *
fujitsu lifebook_u7613_firmware *
fujitsu esprimo_d9010_firmware *
fujitsu lifebook_u7312_firmware *
fujitsu lifebook_e549_firmware *
fujitsu stylistic_q7311_firmware *
fujitsu esprimo_p9910_firmware *
fujitsu esprimo_q7010_firmware *
fujitsu celsius_c780_firmware *
fujitsu primergy_tx1330_m3_firmware *
fujitsu esprimo_q957_firmware *
fujitsu esprimo_k558/24_firmware *
fujitsu esprimo_p6012_firmware *
fujitsu esprimo_k557/24_firmware *
fujitsu primergy_rx1440_m2_firmware *
fujitsu celsius_w570_firmware *
fujitsu lifebook_u7512_firmware *
fujitsu primergy_cx2570_m4_firmware *
fujitsu celsius_w570power_firmware *
fujitsu primequest_3800b_firmware *
fujitsu primergy_bx2560_m2_firmware *
fujitsu lifebook_e5411_firmware *
fujitsu esprimo_k5010/24_firmware *
fujitsu primergy_gx2460_m1_firmware *
fujitsu primergy_bx2580_m2_firmware *
fujitsu primergy_rx1330_m5_firmware *
fujitsu lifebook_e746_firmware -
fujitsu esprimo_p957_firmware *
fujitsu lifebook_u7412_firmware *
fujitsu celsius_w570power+_firmware *
fujitsu esprimo_p9012_firmware *
fujitsu lifebook_e5511_firmware *
fujitsu lifebook_u7313_firmware *
fujitsu lifebook_u9310_firmware *
fujitsu primergy_tx1330_m4_firmware *
fujitsu celsius_w5011_firmware *
fujitsu lifebook_e746_vpro_firmware -
fujitsu lifebook_u759_firmware *
fujitsu esprimo_g9013_firmware *
fujitsu primergy_rx2530_m6_firmware *
fujitsu lifebook_u729_firmware *
fujitsu esprimo_p958_firmware *
fujitsu primequest_3800e2_firmware *
fujitsu celsius_m7010power_firmware *
fujitsu primergy_rx4770_m5_firmware *
fujitsu lifebook_e5413_firmware *
fujitsu lifebook_e5412/mtc_firmware *
fujitsu esprimo_d738_firmware *
fujitsu primergy_rx4770_m4_firmware *
fujitsu esprimo_d9011_firmware *
fujitsu celsius_w5010/l_firmware *
fujitsu celsius_w5012_firmware *
fujitsu celsius_m7010xpower_firmware *
fujitsu primergy_rx2530_m5_firmware *
fujitsu celsius_j580_firmware *
fujitsu celsius_r970_firmware *
fujitsu esprimo_p7013_firmware *
fujitsu primergy_tx2550_m5_firmware *
fujitsu lifebook_e736_vpro_firmware -
fujitsu lifebook_u939x_firmware *
fujitsu celsius_h7613_firmware *
fujitsu esprimo_g558_firmware *
fujitsu celsius_r970bpower_firmware *
fujitsu lifebook_u9312_firmware *
fujitsu celsius_m7010_firmware *
fujitsu esprimo_g9012_firmware *
fujitsu lifebook_t939_firmware *
fujitsu primergy_rx2520_m4_firmware *
fujitsu celsius_r970b_firmware *
fujitsu lifebook_u9313x_firmware *
fujitsu celsius_w580power_firmware *
fujitsu primergy_tx1330_m5_firmware *
fujitsu esprimo_d7011_firmware *
fujitsu celsius_m7010x_firmware *
fujitsu esprimo_p557_firmware *
fujitsu esprimo_p7011_firmware *
fujitsu primergy_cx2560_m7_firmware *
fujitsu primergy_rx1330_m3_firmware *
fujitsu esprimo_d957_firmware *
fujitsu esprimo_p9013_firmware *
fujitsu lifebook_u7413_firmware *
fujitsu esprimo_d757_firmware *
fujitsu primequest_3800b2_firmware *
fujitsu esprimo_d957/e9x+_firmware *
fujitsu lifebook_e4511_firmware *
fujitsu celsius_h5511_firmware *
fujitsu primergy_tx1320_m5_firmware *
fujitsu esprimo_p5010_firmware *
fujitsu lifebook_u939_firmware *
fujitsu esprimo_q958/mre_firmware *
fujitsu stylistic_q739_firmware *
fujitsu primergy_rx2450_m1_firmware *
fujitsu lifebook_u7410_firmware *
fujitsu esprimo_q957/mre_firmware *
fujitsu celsius_h980_firmware -
fujitsu esprimo_q556/2_firmware *
fujitsu celsius_h7510_firmware *
fujitsu esprimo_g6012_firmware *
fujitsu stylistic_q7310_firmware *
fujitsu celsius_j5010_firmware *
fujitsu primergy_cx2550_m7_firmware *
fujitsu primergy_cx2570_m5_firmware *
fujitsu esprimo_p5011_firmware *
fujitsu lifebook_e5512_firmware *
fujitsu celsius_j550/2_firmware *
fujitsu esprimo_d7010_firmware *
fujitsu esprimo_p758_firmware *
fujitsu primergy_rx2540_m6_firmware *
fujitsu primergy_tx1310_m5_firmware *
fujitsu primergy_cx2550_m5_firmware *
fujitsu esprimo_q556/2/d_firmware *
fujitsu celsius_w580power+_firmware *
fujitsu primergy_tx1320_m4_firmware *
fujitsu primergy_cx2560_m6_firmware *
fujitsu esprimo_q958_firmware *
fujitsu lifebook_u7511_firmware *
fujitsu esprimo_d9013_firmware *
fujitsu stylistic_q5010_firmware *
fujitsu primergy_cx2550_m6_firmware *
fujitsu primergy_rx2530_m7_firmware *
fujitsu primergy_rx2530_m4_firmware *
fujitsu esprimo_g9010_firmware *
fujitsu esprimo_d7013_firmware *
fujitsu stylistic_q509_firmware *
fujitsu esprimo_q558_firmware *
fujitsu primequest_3800e_firmware *
fujitsu primergy_rx8770_m7_firmware *
fujitsu celsius_w5012-ll_firmware *
fujitsu lifebook_e5513_firmware *
fujitsu primergy_cx2560_m4_firmware *
fujitsu lifebook_e559_firmware *
fujitsu lifebook_a3511_firmware -
fujitsu lifebook_u7311_firmware *
fujitsu esprimo_d7012_firmware *
fujitsu lifebook_u7310_firmware *
fujitsu esprimo_p9011_firmware *
fujitsu primergy_tx1320_m3_firmware *
fujitsu celsius_h780_firmware *
fujitsu primergy_gx2560_m7_firmware *
fujitsu lifebook_u7510_firmware *
fujitsu esprimo_d6011_firmware *
fujitsu esprimo_d7010/8_firmware *
fujitsu primergy_rx4770_m3_firmware *
fujitsu esprimo_d556/2_firmware *
fujitsu primergy_cx2550_m4_firmware *
fujitsu lifebook_e5412_firmware *
fujitsu primergy_rx1330_m4_firmware *
fujitsu lifebook_u9413_firmware *
fujitsu lifebook_e736_firmware -
fujitsu esprimo_g5010_firmware *
fujitsu esprimo_d958_firmware *
fujitsu primergy_rx2450_m2_firmware *
fujitsu esprimo_p7010_firmware *
fujitsu esprimo_d6012_firmware *
fujitsu esprimo_p757_firmware *
fujitsu primergy_rx2520_m5_firmware *
insyde insydeh2o *
fujitsu primergy_tx2550_m7_firmware *
fujitsu lifebook_u9312x_firmware *
fujitsu primergy_rx4770_m7_firmware *
fujitsu primergy_rx2540_m5_firmware *
fujitsu esprimo_p958/power_firmware *
fujitsu esprimo_p558/power_firmware *
fujitsu esprimo_p9010_firmware *
fujitsu celsius_w580_firmware *
fujitsu lifebook_e5510_firmware *
fujitsu primergy_rx2540_m7_firmware *
fujitsu lifebook_e4411_firmware *
fujitsu esprimo_g5011_firmware *
fujitsu primergy_tx2550_m4_firmware *
fujitsu lifebook_e5410_firmware *
fujitsu lifebook_u7411_firmware *
fujitsu esprimo_p7012_firmware *
fujitsu lifebook_a3510_firmware *
fujitsu lifebook_u9311_firmware *
fujitsu primergy_gx2570_m6_firmware *
CVE-2023-47252

An issue was discovered in PnpSmm in Insyde InsydeH2O with kernel 5.0 through 5.6. There is a possible out-of-bounds access in the SMM communication buffer, leading to tampering. The PNP-related SMI sub-functions do not verify data size before getting it from the communication buffer, which could lead to possible circumstances where the data immediately following the command buffer could be destroyed with a fixed value. This is fixed in kernel 5.2 v05.28.45, kernel 5.3 v05.37.45, kernel 5.4 v05.45.45, kernel 5.5 v05.53.45, and kernel 5.6 v05.60.45.

Products Affected

Vendor Product Version
insyde kernel *
CVE-2024-25078

A memory corruption vulnerability in StorageSecurityCommandDxe in Insyde InsydeH2O before kernel 5.2: IB19130163 in 05.29.07, kernel 5.3: IB19130163 in 05.38.07, kernel 5.4: IB19130163 in 05.46.07, kernel 5.5: IB19130163 in 05.54.07, and kernel 5.6: IB19130163 in 05.61.07 could lead to escalating privileges in SMM.

Products Affected

Vendor Product Version
insyde kernel *
CVE-2024-25079

A memory corruption vulnerability in HddPassword in Insyde InsydeH2O kernel 5.2 before 05.29.09, kernel 5.3 before 05.38.09, kernel 5.4 before 05.46.09, kernel 5.5 before 05.54.09, and kernel 5.6 before 05.61.09 could lead to escalating privileges in SMM.

Products Affected

Vendor Product Version
insyde insydeh2o *
CVE-2024-49200

An issue was discovered in AcpiS3SaveDxe and ChipsetSvcDxe in Insyde InsydeH2O with kernel 5.2 though 5.7. A potential DXE memory corruption vulnerability has been identified. The root cause is use of a pointer originating from the value of an NVRAM variable as the target of a write operation. This can be leveraged by an attacker to perform arbitrary writes, potentially leading to arbitrary code execution. The issue has been fixed in kernel 5.2, Version 05.29.44; kernel 5.3, Version 05.38.44; kernel 5.4, Version 05.46.44; kernel 5.5, Version 05.54.44; kernel 5.6, Version 05.61.44; and kernel 5.7, Version 05.70.44.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 6.4 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N 1.2 5.2

Products Affected

Vendor Product Version
insyde kernel 5.5
insyde kernel 5.3
insyde kernel 5.4
insyde kernel 5.6
insyde kernel 5.2
insyde kernel 5.7
CVE-2024-52877

An issue was discovered in Insyde InsydeH2O kernel 5.2 before version 05.29.50, kernel 5.3 before version 05.38.50, kernel 5.4 before version 05.46.50, kernel 5.5 before version 05.54.50, kernel 5.6 before version 05.61.50, and kernel 5.7 before version 05.70.50. In VariableRuntimeDxe driver, callback function SmmCreateVariableLockList () calls CreateVariableLockListInSmm (). In CreateVariableLockListInSmm (), it uses StrSize () to get variable name size and it could lead to a buffer over-read.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
insyde insydeh2o *
CVE-2024-52878

An issue was discovered in Insyde InsydeH2O kernel 5.2 before version 05.29.50, kernel 5.3 before version 05.38.50, kernel 5.4 before version 05.46.50, kernel 5.5 before version 05.54.50, kernel 5.6 before version 05.61.50, and kernel 5.7 before version 05.70.50. In VariableRuntimeDxe driver, VariableServicesSetVariable () can be called by gRT_>SetVariable () or the SmmSetSensitiveVariable () or SmmInternalSetVariable () from SMM. In VariableServicesSetVariable (), it uses StrSize () to get variable name size, uses StrLen () to get variable name length and uses StrCmp () to compare strings. These actions may cause a buffer over-read.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
insyde insydeh2o *
CVE-2024-52879

An issue was discovered in Insyde InsydeH2O kernel 5.2 before version 05.29.50, kernel 5.3 before version 05.38.50, kernel 5.4 before version 05.46.50, kernel 5.5 before version 05.54.50, kernel 5.6 before version 05.61.50, and kernel 5.7 before version 05.70.50. In VariableRuntimeDxe driver, SmmUpdateVariablePropertySmi () is a SMM callback function and it uses StrCmp () to compare variable names. This action may cause a buffer over-read.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
insyde insydeh2o *
CVE-2024-52880

An issue was discovered in Insyde InsydeH2O kernel 5.2 before version 05.29.50, kernel 5.3 before version 05.38.50, kernel 5.4 before version 05.46.50, kernel 5.5 before version 05.54.50, kernel 5.6 before version 05.61.50, and kernel 5.7 before version 05.70.50. In VariableRuntimeDxe driver, SecureBootHandler uses DataSize and VariableNameSize when determining if the data or name are in the buffer, but these are supplied by the caller and therefore cannot be trusted.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.9 HIGH CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N 1.5 5.8

Products Affected

Vendor Product Version
insyde kernel *
CVE-2024-55567

Improper input validation was discovered in UsbCoreDxe in Insyde InsydeH2O kernel 5.4 before 05.47.01, 5.5 before 05.55.01, 5.6 before 05.62.01, and 5.7 before 05.71.01. The SMM module has an SMM call out vulnerability which can be used to write arbitrary memory inside SMRAM and execute arbitrary code at SMM level.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 7.5 HIGH CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H 0.8 6.0

Products Affected

Vendor Product Version
insyde insydeh2o *