Insyde BIOS V190 does not clear the keyboard buffer after reading the BIOS password during system startup, which allows local administrators or users to read the password directly from physical memory.
CVSS 2.0
Severity: LOW
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insyde_bios | v190 |
Improper access control in the Insyde software tools may allow an authenticated user to potentially enable escalation of privilege, or information disclosure via local access. This is a software vulnerability, not a firmware issue. Affected tools include: H2OFFT version 3.02~5.28, 100.00.00.00~100.00.08.23 and 200.00.00.01~200.00.00.05, H2OOAE before version 200.00.00.02, H2OSDE before version 200.00.00.07, H2OUVE before version 200.00.02.02, H2OPCM before version 100.00.06.00, H2OELV before version 100.00.02.08.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | h2osde | * |
| insyde | h2opcm | * |
| insyde | h2offt | * |
| insyde | h2ooae | * |
| insyde | h2oelv | * |
| insyde | h2ouve | * |
In the kernel in Insyde InsydeH2O 5.x, certain SMM drivers did not correctly validate the CommBuffer and CommBufferSize parameters, allowing callers to corrupt either the firmware or the OS memory. The fixed versions for this issue in the AhciBusDxe, IdeBusDxe, NvmExpressDxe, SdHostDriverDxe, and SdMmcDeviceDxe drivers are 05.16.25, 05.26.25, 05.35.25, 05.43.25, and 05.51.25 (for Kernel 5.1 through 5.5).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.7 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 0.8 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| siemens | simatic_ipc377g_firmware | - |
| siemens | simatic_ipc477e_pro_firmware | - |
| siemens | simatic_ipc427e_firmware | - |
| siemens | simatic_ipc477e_firmware | - |
| siemens | simatic_ipc127e_firmware | - |
| siemens | ruggedcom_apr1808_firmware | - |
| siemens | simatic_itp1000_firmware | - |
| insyde | insydeh2o | * |
| siemens | simatic_field_pg_m6_firmware | - |
| siemens | simatic_field_pg_m5_firmware | - |
| siemens | simatic_ipc677e_firmware | - |
| siemens | simatic_ipc627e_firmware | - |
| siemens | simatic_ipc847e_firmware | - |
| siemens | simatic_ipc277g_firmware | - |
| siemens | simatic_ipc647e_firmware | - |
| siemens | simatic_ipc227g_firmware | - |
| siemens | simatic_ipc327g_firmware | - |
A vulnerability exists in System Management Interrupt (SWSMI) handler of InsydeH2O UEFI Firmware code located in SWSMI handler that dereferences gRT (EFI_RUNTIME_SERVICES) pointer to call a GetVariable service, which is located outside of SMRAM. This can result in code execution in SMM (escalating privilege from ring 0 to ring -2).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H | 0.8 | 6.0 |
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| siemens | simatic_ipc377g_firmware | - |
| siemens | simatic_ipc477e_pro_firmware | - |
| siemens | simatic_ipc427e_firmware | - |
| siemens | simatic_ipc477e_firmware | - |
| siemens | simatic_ipc127e_firmware | - |
| insyde | insydeh2o | 5.23.04.0045 |
| insyde | insydeh2o | 5.42.03.0010 |
| siemens | simatic_itp1000_firmware | - |
| insyde | insydeh2o | 5.12.09.0074 |
| insyde | insydeh2o | 5.33.15.0034 |
| siemens | simatic_field_pg_m6_firmware | - |
| siemens | simatic_field_pg_m5_firmware | - |
| siemens | simatic_ipc677e_firmware | - |
| siemens | simatic_ipc627e_firmware | - |
| siemens | simatic_ipc847e_firmware | - |
| siemens | simatic_ipc277g_firmware | - |
| insyde | insydeh2o | 5.23.45.0023 |
| siemens | simatic_ipc647e_firmware | - |
| siemens | simatic_ipc227g_firmware | - |
| insyde | insydeh2o | 5.34.03.0029 |
| siemens | simatic_ipc327g_firmware | - |
| siemens | ruggedcom_ape1808_firmware | - |
An issue was discovered in Int15MicrocodeSmm in Insyde InsydeH2O before 2021-10-14 on Intel client chipsets. A caller may be able to escalate privileges.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o_uefi_bios | * |
An issue was discovered in SdLegacySmm in Insyde InsydeH2O with kernel 5.1 before 05.15.11, 5.2 before 05.25.11, 5.3 before 05.34.11, and 5.4 before 05.42.11. The software SMI handler allows untrusted external input because it does not verify CommBuffer.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | * |
An issue was discovered in Kernel 5.x in Insyde InsydeH2O, affecting HddPassword. Software SMI services that use the Communicate() function of the EFI_SMM_COMMUNICATION_PROTOCOL do not check whether the address of the buffer is valid, which allows use of SMRAM, MMIO, or OS kernel addresses.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H | 0.8 | 6.0 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| siemens | simatic_ipc377g_firmware | - |
| siemens | simatic_ipc477e_pro_firmware | - |
| siemens | simatic_ipc427e_firmware | - |
| siemens | simatic_ipc477e_firmware | - |
| siemens | simatic_ipc127e_firmware | - |
| netapp | fas/aff_bios | - |
| siemens | simatic_itp1000_firmware | - |
| insyde | insydeh2o | * |
| siemens | simatic_field_pg_m6_firmware | - |
| siemens | simatic_field_pg_m5_firmware | - |
| siemens | simatic_ipc677e_firmware | - |
| siemens | simatic_ipc627e_firmware | - |
| siemens | simatic_ipc847e_firmware | - |
| siemens | simatic_ipc277g_firmware | - |
| siemens | simatic_ipc647e_firmware | - |
| siemens | simatic_ipc227g_firmware | - |
| siemens | simatic_ipc327g_firmware | - |
| siemens | ruggedcom_ape1808_firmware | - |
A vulnerability exists in SMM (System Management Mode) branch that registers a SWSMI handler that does not sufficiently check or validate the allocated buffer pointer(QWORD values for CommBuffer). This can be used by an attacker to corrupt data in SMRAM memory and even lead to arbitrary code execution.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-829,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| siemens | simatic_ipc377g_firmware | - |
| siemens | simatic_ipc477e_pro_firmware | - |
| siemens | simatic_ipc427e_firmware | - |
| siemens | simatic_ipc477e_firmware | - |
| siemens | simatic_ipc127e_firmware | - |
| siemens | ruggedcom_apr1808_firmware | - |
| siemens | simatic_itp1000_firmware | - |
| insyde | insydeh2o | * |
| siemens | simatic_field_pg_m6_firmware | - |
| siemens | simatic_field_pg_m5_firmware | - |
| siemens | simatic_ipc677e_firmware | - |
| siemens | simatic_ipc627e_firmware | - |
| siemens | simatic_ipc847e_firmware | - |
| siemens | simatic_ipc277g_firmware | - |
| siemens | simatic_ipc647e_firmware | - |
| siemens | simatic_ipc227g_firmware | - |
| siemens | simatic_ipc327g_firmware | - |
An issue was discovered in Insyde InsydeH2O Kernel 5.0 before 05.09.11, 5.1 before 05.17.11, 5.2 before 05.27.11, 5.3 before 05.36.11, 5.4 before 05.44.11, and 5.5 before 05.52.11 affecting FwBlockServiceSmm. Software SMI services that use the Communicate() function of the EFI_SMM_COMMUNICATION_PROTOCOL do not check whether the address of the buffer is valid, which allows use of SMRAM, MMIO, or OS kernel addresses.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.2 | HIGH | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | 1.5 | 6.0 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| siemens | simatic_itp1000_firmware | * |
| siemens | simatic_ipc227g_firmware | * |
| siemens | simatic_ipc847e_firmware | * |
| siemens | simatic_field_pg_m5_firmware | * |
| siemens | simatic_ipc477e_firmware | * |
| siemens | simatic_ipc647e_firmware | * |
| siemens | simatic_ipc377g_firmware | * |
| siemens | simatic_ipc627e_firmware | * |
| insyde | insydeh2o | * |
| siemens | simatic_ipc427e_firmware | * |
| siemens | simatic_ipc677e_firmware | * |
| siemens | simatic_field_pg_m6_firmware | * |
| siemens | simatic_ipc277g_firmware | * |
| siemens | simatic_ipc327g_firmware | * |
| siemens | simatic_ipc127e_firmware | * |
An issue was discovered in iscflashx64.sys 3.9.3.0 in Insyde H2OFFT 6.20.00. When handling IOCTL 0x22229a, the input used to allocate a buffer and copy memory is mishandled. This could cause memory corruption or a system crash.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.1 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H | 1.8 | 5.2 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | h2offt | 6.20.00 |
| insyde | iscflashx64.sys | 3.9.3.0 |
NetworkPkg/IScsiDxe has remotely exploitable buffer overflows.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.1 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.2 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-124,CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | kernel | 5.0 |
| tianocore | edk2 | * |
| insyde | kernel | 5.5 |
| insyde | kernel | 5.3 |
| insyde | kernel | 5.4 |
| insyde | kernel | 5.1 |
| insyde | kernel | 5.2 |
Existing CommBuffer checks in SmmEntryPoint will not catch underflow when computing BufferSize.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-124,CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | kernel | 5.0 |
| tianocore | edk2 | * |
| insyde | kernel | 5.5 |
| insyde | kernel | 5.3 |
| insyde | kernel | 5.4 |
| insyde | kernel | 5.1 |
| insyde | kernel | 5.2 |
An issue was discovered in AhciBusDxe in the kernel 5.0 through 5.5 in Insyde InsydeH2O. Because of an Untrusted Pointer Dereference that causes SMM memory corruption, an attacker may be able to write fixed or predictable data to SMRAM. Exploiting this issue could lead to escalating privileges to SMM.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.2 | HIGH | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | 1.5 | 6.0 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| siemens | simatic_itp1000_firmware | * |
| siemens | simatic_ipc227g_firmware | * |
| siemens | simatic_ipc847e_firmware | * |
| siemens | simatic_field_pg_m5_firmware | * |
| siemens | simatic_ipc477e_firmware | * |
| siemens | simatic_ipc647e_firmware | * |
| siemens | simatic_ipc377g_firmware | * |
| siemens | simatic_ipc627e_firmware | * |
| insyde | insydeh2o | * |
| siemens | simatic_ipc427e_firmware | * |
| siemens | simatic_ipc677e_firmware | * |
| siemens | simatic_field_pg_m6_firmware | * |
| siemens | simatic_ipc277g_firmware | * |
| siemens | simatic_ipc327g_firmware | * |
| siemens | simatic_ipc127e_firmware | * |
An issue was discovered in SdHostDriver in the kernel 5.0 through 5.5 in Insyde InsydeH2O. There is an SMM callout that allows an attacker to access the System Management Mode and execute arbitrary code. This occurs because of a Numeric Range Comparison Without a Minimum Check.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.2 | HIGH | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | 1.5 | 6.0 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| siemens | simatic_itp1000_firmware | * |
| siemens | simatic_ipc227g_firmware | * |
| siemens | simatic_ipc847e_firmware | * |
| siemens | simatic_field_pg_m5_firmware | * |
| siemens | simatic_ipc477e_firmware | * |
| siemens | simatic_ipc647e_firmware | * |
| siemens | simatic_ipc377g_firmware | * |
| siemens | simatic_ipc627e_firmware | * |
| insyde | insydeh2o | * |
| siemens | simatic_ipc427e_firmware | * |
| siemens | simatic_ipc677e_firmware | * |
| siemens | simatic_field_pg_m6_firmware | * |
| siemens | simatic_ipc277g_firmware | * |
| siemens | simatic_ipc327g_firmware | * |
| siemens | simatic_ipc127e_firmware | * |
An issue was discovered in NvmExpressDxe in the kernel 5.0 through 5.5 in Insyde InsydeH2O. Because of an Untrusted Pointer Dereference that causes SMM memory corruption, an attacker may be able to write fixed or predictable data to SMRAM. Exploiting this issue could lead to escalating privileges to SMM.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.2 | HIGH | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | 1.5 | 6.0 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | * |
An issue was discovered in NvmExpressDxe in the kernel 5.0 through 5.5 in Insyde InsydeH2O. There is an SMM callout that allows an attacker to access the System Management Mode and execute arbitrary code. This occurs because of Inclusion of Functionality from an Untrusted Control Sphere.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.2 | HIGH | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | 1.5 | 6.0 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-770,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | * |
An issue was discovered in AhciBusDxe in the kernel 5.0 through 5.5 in Insyde InsydeH2O. There is an SMM callout that allows an attacker to access the System Management Mode and execute arbitrary code. This occurs because of Inclusion of Functionality from an Untrusted Control Sphere.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.2 | HIGH | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | 1.5 | 6.0 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-829,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | * |
An issue was discovered in AtaLegacySmm in the kernel 5.0 before 05.08.46, 5.1 before 05.16.46, 5.2 before 05.26.46, 5.3 before 05.35.46, 5.4 before 05.43.46, and 5.5 before 05.51.45 in Insyde InsydeH2O. Code execution can occur because the SMI handler lacks a CommBuffer check.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | * |
An issue was discovered in Insyde InsydeH2O Kernel 5.0 before 05.08.41, Kernel 5.1 before 05.16.41, Kernel 5.2 before 05.26.41, Kernel 5.3 before 05.35.41, and Kernel 5.4 before 05.42.20. A stack-based buffer overflow leads toarbitrary code execution in UEFI DisplayTypeDxe DXE driver.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.7 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 0.8 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| siemens | simatic_itp1000_firmware | * |
| siemens | simatic_ipc227g_firmware | * |
| siemens | simatic_ipc847e_firmware | * |
| siemens | simatic_field_pg_m5_firmware | * |
| siemens | simatic_ipc477e_firmware | * |
| siemens | simatic_ipc647e_firmware | * |
| siemens | simatic_ipc377g_firmware | * |
| siemens | simatic_ipc627e_firmware | * |
| insyde | insydeh2o | * |
| siemens | simatic_ipc427e_firmware | * |
| siemens | simatic_ipc677e_firmware | * |
| siemens | simatic_field_pg_m6_firmware | * |
| siemens | simatic_ipc277g_firmware | * |
| siemens | simatic_ipc327g_firmware | * |
| siemens | simatic_ipc127e_firmware | * |
An issue was discovered in Insyde InsydeH2O Kernel 5.0 through 05.08.41, Kernel 5.1 through 05.16.41, Kernel 5.2 before 05.23.22, and Kernel 5.3 before 05.32.22. An Int15ServiceSmm SMM callout vulnerability allows an attacker to hijack execution flow of code running in System Management Mode. Exploiting this issue could lead to escalating privileges to SMM.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.2 | HIGH | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | 1.5 | 6.0 |
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | * |
An issue was discovered in StorageSecurityCommandDxe in Insyde InsydeH2O with Kernel 5.1 before 05.14.28, Kernel 5.2 before 05.24.28, and Kernel 5.3 before 05.32.25. An SMM callout vulnerability allows an attacker to hijack execution flow of code running in System Management Mode. Exploiting this issue could lead to escalating privileges to SMM.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.2 | HIGH | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | 1.5 | 6.0 |
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | * |
An issue was discovered in Insyde InsydeH2O with Kernel 5.0 before 05.08.42, Kernel 5.1 before 05.16.42, Kernel 5.2 before 05.26.42, Kernel 5.3 before 05.35.42, Kernel 5.4 before 05.42.51, and Kernel 5.5 before 05.50.51. An SMM memory corruption vulnerability in FvbServicesRuntimeDxe allows a possible attacker to write fixed or predictable data to SMRAM. Exploiting this issue could lead to escalating privileges to SMM.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.2 | HIGH | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | 1.5 | 6.0 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| siemens | simatic_itp1000_firmware | * |
| siemens | simatic_ipc227g_firmware | * |
| siemens | simatic_ipc847e_firmware | * |
| siemens | simatic_field_pg_m5_firmware | * |
| siemens | simatic_ipc477e_firmware | * |
| siemens | simatic_ipc647e_firmware | * |
| siemens | simatic_ipc377g_firmware | * |
| siemens | simatic_ipc627e_firmware | * |
| insyde | insydeh2o | * |
| siemens | simatic_ipc427e_firmware | * |
| siemens | simatic_ipc677e_firmware | * |
| siemens | simatic_field_pg_m6_firmware | * |
| siemens | simatic_ipc277g_firmware | * |
| siemens | simatic_ipc327g_firmware | * |
| siemens | ruggedcom_ape1808_firmware | * |
| siemens | simatic_ipc127e_firmware | * |
An issue was discovered in UsbCoreDxe in Insyde InsydeH2O with kernel 5.5 before 05.51.45, 5.4 before 05.43.45, 5.3 before 05.35.45, 5.2 before 05.26.45, 5.1 before 05.16.45, and 5.0 before 05.08.45. An SMM callout vulnerability allows an attacker to hijack execution flow of code running in System Management Mode. Exploiting this issue could lead to escalating privileges to SMM.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.2 | HIGH | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | 1.5 | 6.0 |
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | * |
An issue was discovered in Insyde InsydeH2O with kernel 5.1 through 2021-11-08, 5.2 through 2021-11-08, and 5.3 through 2021-11-08. A StorageSecurityCommandDxe SMM memory corruption vulnerability allows an attacker to write fixed or predictable data to SMRAM. Exploiting this issue could lead to escalating privileges to SMM.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H | 0.8 | 6.0 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | * |
An issue was discovered in HddPassword in Insyde InsydeH2O with kernel 5.1 before 05.16.23, 5.2 before 05.26.23, 5.3 before 05.35.23, 5.4 before 05.43.22, and 5.5 before 05.51.22. An SMM memory corruption vulnerability allows an attacker to write fixed or predictable data to SMRAM. Exploiting this issue could lead to escalating privileges to SMM.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.2 | HIGH | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | 1.5 | 6.0 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | * |
An issue was discovered in AhciBusDxe in Insyde InsydeH2O with kernel 5.1 before 05.16.25, 5.2 before 05.26.25, 5.3 before 05.35.25, 5.4 before 05.43.25, and 5.5 before 05.51.25. A vulnerability exists in the SMM (System Management Mode) branch that registers a SWSMI handler that does not sufficiently check or validate the allocated buffer pointer (the CommBuffer+8 location).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.2 | HIGH | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | 1.5 | 6.0 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | * |
An issue was discovered in IdeBusDxe in Insyde InsydeH2O with kernel 5.1 before 05.16.25, 5.2 before 05.26.25, 5.3 before 05.35.25, 5.4 before 05.43.25, and 5.5 before 05.51.25. A vulnerability exists in the SMM (System Management Mode) branch that registers a SWSMI handler that does not sufficiently check or validate the allocated buffer pointer (the status code saved at the CommBuffer+4 location).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.2 | HIGH | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | 1.5 | 6.0 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | * |
An issue was discovered in SdHostDriver in Insyde InsydeH2O with kernel 5.1 before 05.16.25, 5.2 before 05.26.25, 5.3 before 05.35.25, 5.4 before 05.43.25, and 5.5 before 05.51.25. A vulnerability exists in the SMM (System Management Mode) branch that registers a SWSMI handler that does not sufficiently check or validate the allocated buffer pointer (CommBufferData).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.2 | HIGH | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | 1.5 | 6.0 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | * |
An issue was discovered in AhciBusDxe in Insyde InsydeH2O with kernel 5.1 through 5.5. An SMM memory corruption vulnerability allows an attacker to write fixed or predictable data to SMRAM. Exploiting this issue could lead to escalating privileges to SMM.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H | 0.8 | 6.0 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | * |
An issue was discovered in NvmExpressDxe in Insyde InsydeH2O with kernel 5.1 through 5.5. An SMM memory corruption vulnerability allows an attacker to write fixed or predictable data to SMRAM. Exploiting this issue could lead to escalating privileges to SMM.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.2 | HIGH | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | 1.5 | 6.0 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | * |
An issue was discovered in AhciBusDxe in Insyde InsydeH2O with kernel 5.0 before 05.08.41, 5.1 before 05.16.29, 5.2 before 05.26.29, 5.3 before 05.35.29, 5.4 before 05.43.29, and 5.5 before 05.51.29. An SMM callout vulnerability allows an attacker to hijack the execution flow of code running in System Management Mode. Exploiting this issue could lead to escalating privileges to SMM.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.2 | HIGH | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | 1.5 | 6.0 |
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | * |
An issue was discovered in IhisiSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. IHISI function 0x17 verifies that the output buffer lies within the command buffer but does not verify that output data does not go beyond the end of the command buffer. In particular, the GetFlashTable function is called directly on the Command Buffer before the DataSize is check, leading to possible circumstances where the data immediately following the command buffer could be destroyed before returning a buffer size error.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | * |
TOCTOU race-condition vulnerability in Insyde InsydeH2O with Kernel 5.2 before version 05.27.29, Kernel 5.3 before version 05.36.29, Kernel 5.4 version before 05.44.13, and Kernel 5.5 before version 05.52.13 allows an attacker to alter data and code used by the remainder of the boot process.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 4.7 | MEDIUM | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N | 1.0 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | * |
In UsbCoreDxe, untrusted input may allow SMRAM or OS memory tampering Use of untrusted pointers could allow OS or SMRAM memory tampering leading to escalation of privileges. This issue was discovered by Insyde during security review. It was fixed in: Kernel 5.0: version 05.09.21 Kernel 5.1: version 05.17.21 Kernel 5.2: version 05.27.21 Kernel 5.3: version 05.36.21 Kernel 5.4: version 05.44.21 Kernel 5.5: version 05.52.21 https://www.insyde.com/security-pledge/SA-2022058
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | kernel | * |
SMI functions in AhciBusDxe use untrusted inputs leading to corruption of SMRAM. SMI functions in AhciBusDxe use untrusted inputs leading to corruption of SMRAM. This issue was discovered by Insyde during security review. It was fixed in: Kernel 5.0: version 05.09.18 Kernel 5.1: version 05.17.18 Kernel 5.2: version 05.27.18 Kernel 5.3: version 05.36.18 Kernel 5.4: version 05.44.18 Kernel 5.5: version 05.52.18 https://www.insyde.com/security-pledge/SA-2022059
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | kernel | * |
Incorrect pointer checks within the NvmExpressDxe driver can allow tampering with SMRAM and OS memory Incorrect pointer checks within the NvmExpressDxe driver can allow tampering with SMRAM and OS memory. This issue was discovered by Insyde during security review. Fixed in: Kernel 5.1: Version 05.17.23 Kernel 5.2: Version 05.27.23 Kernel 5.3: Version 05.36.23 Kernel 5.4: Version 05.44.23 Kernel 5.5: Version 05.52.23 https://www.insyde.com/security-pledge/SA-2022061
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | kernel | * |
Use of a untrusted pointer allows tampering with SMRAM and OS memory in SdHostDriver and SdMmcDevice Use of a untrusted pointer allows tampering with SMRAM and OS memory in SdHostDriver and SdMmcDevice. This issue was discovered by Insyde during security review. It was fixed in: Kernel 5.0: version 05.09.17 Kernel 5.1: version 05.17.17 Kernel 5.2: version 05.27.17 Kernel 5.3: version 05.36.17 Kernel 5.4: version 05.44.17 Kernel 5.5: version 05.52.17 https://www.insyde.com/security-pledge/SA-2022062
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | kernel | * |
In UsbCoreDxe, tampering with the contents of the USB working buffer using DMA while certain USB transactions are in process leads to a TOCTOU problem that could be used by an attacker to cause SMRAM corruption and escalation of privileges The UsbCoreDxe module creates a working buffer for USB transactions outside of SMRAM. The code which uses can be inside of SMM, making the working buffer untrusted input. The buffer can be corrupted by DMA transfers. The SMM code code attempts to sanitize pointers to ensure all pointers refer to the working buffer, but when a pointer is not found in the list of pointers to sanitize, the current action is not aborted, leading to undefined behavior. This issue was discovered by Insyde engineering based on the general description provided by Intel's iSTARE group. Fixed in: Kernel 5.0: Version 05.09. 21 Kernel 5.1: Version 05.17.21 Kernel 5.2: Version 05.27.21 Kernel 5.3: Version 05.36.21 Kernel 5.4: Version 05.44.21 Kernel 5.5: Version 05.52.21 https://www.insyde.com/security-pledge/SA-2022063
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | kernel | * |
Initialization function in PnpSmm could lead to SMRAM corruption when using subsequent PNP SMI functions Initialization function in PnpSmm could lead to SMRAM corruption when using subsequent PNP SMI functions. This issue was discovered by Insyde engineering during a security review. Fixed in: Kernel 5.1: Version 05.17.25 Kernel 5.2: Version 05.27.25 Kernel 5.3: Version 05.36.25 Kernel 5.4: Version 05.44.25 Kernel 5.5: Version 05.52.25 https://www.insyde.com/security-pledge/SA-2022064
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | kernel | * |
Manipulation of the input address in PnpSmm function 0x52 could be used by malware to overwrite SMRAM or OS kernel memory. Function 0x52 of the PnpSmm driver is passed the address and size of data to write into the SMBIOS table, but manipulation of the address could be used by malware to overwrite SMRAM or OS kernel memory. This issue was discovered by Insyde engineering during a security review. This issue is fixed in: Kernel 5.0: 05.09.41 Kernel 5.1: 05.17.43 Kernel 5.2: 05.27.30 Kernel 5.3: 05.36.30 Kernel 5.4: 05.44.30 Kernel 5.5: 05.52.30 https://www.insyde.com/security-pledge/SA-2022065
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | kernel | * |
DMA attacks on the parameter buffer used by the IhisiSmm driver could change the contents after parameter values have been checked but before they are used (a TOCTOU attack). DMA attacks on the parameter buffer used by the IhisiSmm driver could change the contents after parameter values have been checked but before they are used (a TOCTOU attack). This issue was discovered by Insyde engineering. This issue is fixed in Kernel 5.4: 05.44.23 and Kernel 5.5: 05.52.23. CWE-367
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | kernel | * |
DMA attacks on the parameter buffer used by the PnpSmm driver could change the contents after parameter values have been checked but before they are used (a TOCTOU attack) DMA attacks on the parameter buffer used by the PnpSmm driver could change the contents after parameter values have been checked but before they are used (a TOCTOU attack) . This issue was discovered by Insyde engineering during a security review. This iss was fixed in Kernel 5.2: 05.27.29, Kernel 5.3: 05.36.25, Kernel 5.4: 05.44.25, Kernel 5.5: 05.52.25. CWE-367 https://www.insyde.com/security-pledge/SA-2022043
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.4 | MEDIUM | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H | 0.5 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | kernel | * |
Update description and links DMA transactions which are targeted at input buffers used for the software SMI handler used by the FvbServicesRuntimeDxe driver could cause SMRAM corruption through a TOCTOU attack.. "DMA transactions which are targeted at input buffers used for the software SMI handler used by the FvbServicesRuntimeDxe driver could cause SMRAM corruption. This issue was discovered by Insyde engineering based on the general description provided by Intel's iSTARE group. Fixed in Kernel 5.2: 05.27.21. Kernel 5.3: 05.36.21. Kernel 5.4: 05.44.21. Kernel 5.5: 05.52.21 https://www.insyde.com/security-pledge/SA-2022044
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.4 | MEDIUM | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H | 0.5 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | kernel | * |
DMA attacks on the parameter buffer used by a software SMI handler used by the driver PcdSmmDxe could lead to a TOCTOU attack on the SMI handler and lead to corruption of other ACPI fields and adjacent memory fields. DMA attacks on the parameter buffer used by a software SMI handler used by the driver PcdSmmDxe could lead to a TOCTOU attack on the SMI handler and lead to corruption of other ACPI fields and adjacent memory fields. The attack would require detailed knowledge of the PCD database contents on the current platform. This issue was discovered by Insyde engineering during a security review. This issue is fixed in Kernel 5.3: 05.36.23, Kernel 5.4: 05.44.23, Kernel 5.5: 05.52.23. Kernel 5.2 is unaffected. CWE-787 An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the parameter buffer that is used by a software SMI handler (used by the PcdSmmDxe driver) could lead to a TOCTOU race-condition attack on the SMI handler, and lead to corruption of other ACPI fields and adjacent memory fields. The attack would require detailed knowledge of the PCD database contents on the current platform.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | kernel | * |
DMA transactions which are targeted at input buffers used for the SmmResourceCheckDxe software SMI handler cause SMRAM corruption (a TOCTOU attack) DMA transactions which are targeted at input buffers used for the software SMI handler used by the SmmResourceCheckDxe driver could cause SMRAM corruption through a TOCTOU attack... This issue was discovered by Insyde engineering. Fixed in kernel Kernel 5.2: 05.27.23. Kernel 5.3: 05.36.23. Kernel 5.4: 05.44.23. Kernel 5.5: 05.52.23 https://www.insyde.com/security-pledge/SA-2022046
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | kernel | * |
An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the PnpSmm shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the firmware block services data to SMRAM before checking it.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.0 | HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.0 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | * |
An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the FwBlockServiceSmm shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the firmware block services data to SMRAM before checking it.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.0 | HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.0 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | * |
An issue was discovered in IhisiSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. The IhisiDxe driver uses the command buffer to pass input and output data. By modifying the command buffer contents with DMA after the input parameters have been checked but before they are used, the IHISI SMM code may be convinced to modify SMRAM or OS, leading to possible data corruption or escalation of privileges.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.0 | HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.0 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | * |
An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the HddPassword shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the firmware block services data to SMRAM before checking it.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.0 | HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.0 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | * |
An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the StorageSecurityCommandDxe shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the firmware block services data to SMRAM before checking it.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.0 | HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.0 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | * |
An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the VariableRuntimeDxe shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This issue was fixed in the kernel, which also protected chipset and OEM chipset code.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.0 | HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.0 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | * |
An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the AhciBusDxe shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the firmware block services data to SMRAM before checking it.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.0 | HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.0 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | * |
An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the FvbServicesRuntimeDxe shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the firmware block services data to SMRAM before checking it.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.0 | HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.0 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | * |
An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the IdeBusDxe shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the firmware block services data to SMRAM before checking it.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.0 | HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.0 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | * |
An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the SdHostDriver buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated by using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the link data to SMRAM before checking it and verifying that all pointers are within the buffer.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.0 | HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.0 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | * |
An issue was discovered in Insyde InsydeH2O with kernel 5.1 through 5.5. DMA attacks on the SdMmcDevice buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated by using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the link data to SMRAM before checking it and verifying that all pointers are within the buffer.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.0 | HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.0 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | * |
An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the NvmExpressDxe buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated by using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the link data to SMRAM before checking it and verifying that all pointers are within the buffer.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.0 | HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.0 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | * |
DMA transactions which are targeted at input buffers used for the AhciBusDxe software SMI handler could cause SMRAM corruption (a TOCTOU attack). DMA transactions which are targeted at input buffers used for the software SMI handler used by the AhciBusDxe driver could cause SMRAM corruption through a TOCTOU attack. This issue was discovered by Insyde engineering based on the general description provided by Intel's iSTARE group, Fixed in kernel 5.2: 05.27.23, kernel 5.3: 05.36.23, kernel 5.4: 05.44.23, kernel 5.5: 05.52.23 https://www.insyde.com/security-pledge/SA-2022047
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | kernel | * |
DMA transactions which are targeted at input buffers used for the FwBlockServiceSmm software SMI handler could cause SMRAM corruption through a TOCTOU attack. DMA transactions which are targeted at input buffers used for the software SMI handler used by the FwBlockServiceSmm driver could cause SMRAM corruption through a TOCTOU attack. This issue was discovered by Insyde engineering based on the general description provided by Intel's iSTARE group. Fixed in kernel 5.2: 05.27.23, 5.3: 05.36.23, 5.4: 05.44.23, 5.5: 05.52.23 https://www.insyde.com/security-pledge/SA-2022048
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.4 | MEDIUM | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H | 0.5 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | kernel | * |
DMA transactions which are targeted at input buffers used for the software SMI handler used by the IdeBusDxe driver could cause SMRAM corruption through a TOCTOU attack... DMA transactions which are targeted at input buffers used for the software SMI handler used by the IdeBusDxe driver could cause SMRAM corruption through a TOCTOU attack. This issue was discovered by Insyde engineering based on the general description provided by Intel's iSTARE group. Fixed in kernel 5.2: 05.27.25, kernel 5.3: 05.36.25, kernel 5.4: 05.44.25 https://www.insyde.com/security-pledge/SA-2022049
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.4 | MEDIUM | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H | 0.5 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | kernel | * |
DMA transactions which are targeted at input buffers used for the SdHostDriver software SMI handler could cause SMRAM corruption through a TOCTOU attack. DMA transactions which are targeted at input buffers used for the software SMI handler used by the SdHostDriver driver could cause SMRAM corruption through a TOCTOU attack. This issue was discovered by Insyde engineering based on the general description provided by Intel's iSTARE group. Fixed in kernel 5.2: 05.27.25, kernel 5.3: 05.36.25, kernel 5.4: 05.44.25, kernel 5.5: 05.52.25 https://www.insyde.com/security-pledge/SA-2022050
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | kernel | * |
DMA transactions which are targeted at input buffers used for the HddPassword software SMI handler could cause SMRAM corruption through a TOCTOU attack. DMA transactions which are targeted at input buffers used for the software SMI handler used by the HddPassword driver could cause SMRAM corruption through a TOCTOU attack..This issue was discovered by Insyde engineering based on the general description provided by Intel's iSTARE group. Fixed in kernel Kernel 5.2: 05.27.23, Kernel 5.3: 05.36.23, Kernel 5.4: 05.44.23, Kernel 5.5: 05.52.23 https://www.insyde.com/security-pledge/SA-2022051
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | kernel | * |
DMA attacks on the parameter buffer used by the Int15ServiceSmm software SMI handler could lead to a TOCTOU attack on the SMI handler and lead to corruption of SMRAM. DMA attacks on the parameter buffer used by the software SMI handler used by the driver Int15ServiceSmm could lead to a TOCTOU attack on the SMI handler and lead to corruption of SMRAM. This issue was discovered by Insyde engineering during a security review. This issue is fixed in Kernel 5.2: 05.27.23, Kernel 5.3: 05.36.23, Kernel 5.4: 05.44.23 and Kernel 5.5: 05.52.23 CWE-367
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.4 | MEDIUM | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H | 0.5 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | kernel | * |
DMA transactions which are targeted at input buffers used for the NvmExpressLegacy software SMI handler could cause SMRAM corruption through a TOCTOU attack. DMA transactions which are targeted at input buffers used for the software SMI handler used by the NvmExpressLegacy driver could cause SMRAM corruption through a TOCTOU attack. This issue was discovered by Insyde engineering based on the general description provided by Intel's iSTARE group. This issue was fixed in kernel 5.2: 05.27.25, kernel 5.3: 05.36.25, kernel 5.4: 05.44.25, kernel 5.5: 05.52.25 https://www.insyde.com/security-pledge/SA-2022053
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | kernel | * |
DMA transactions which are targeted at input buffers used for the SdMmcDevice software SMI handler could cause SMRAM corruption through a TOCTOU attack. DMA transactions which are targeted at input buffers used for the software SMI handler used by the SdMmcDevice driver could cause SMRAM corruption through a TOCTOU attack. This issue was discovered by Insyde engineering based on the general description provided by Intel's iSTARE group. This was fixed in kernel 5.2: 05.27.25, kernel 5.3: 05.36.25, kernel 5.4: 05.44.25, kernel 5.5: 05.52.25 https://www.insyde.com/security-pledge/SA-2022054
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.0 | HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.0 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | kernel | * |
DMA transactions which are targeted at input buffers used for the NvmExpressDxe software SMI handler could cause SMRAM corruption through a TOCTOU attack. DMA transactions which are targeted at input buffers used for the software SMI handler used by the NvmExpressDxe driver could cause SMRAM corruption through a TOCTOU attack. This issue was discovered by Insyde engineering based on the general description provided by Intel's iSTARE group. This issue was fixed in kernel 5.2: 05.27.25, kernel 5.3: 05.36.25, kernel 5.4: 05.44.25, kernel 5.5: 05.52.25 https://www.insyde.com/security-pledge/SA-2022055
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | kernel | * |
DMA attacks on the parameter buffer used by the VariableRuntimeDxe software SMI handler could lead to a TOCTOU attack. DMA attacks on the parameter buffer used by the software SMI handler used by the driver VariableRuntimeDxe could lead to a TOCTOU attack on the SMI handler and lead to corruption of SMRAM. This issue was discovered by Insyde engineering during a security review. This issue is fixed in Kernel 5.4: 05.44.23 and Kernel 5.5: 05.52.23. CWE-367 CWE-367 Report at: https://www.insyde.com/security-pledge/SA-2022056
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | kernel | * |
DMA transactions which are targeted at input buffers used for the StorageSecurityCommandDxe software SMI handler could cause SMRAM corruption through a TOCTOU attack. DMA transactions which are targeted at input buffers used for the software SMI handler used by the StorageSecurityCommandDxe driver could cause SMRAM corruption. This issue was discovered by Insyde engineering based on the general description provided by
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | * |
An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. A stack buffer overflow leads to arbitrary code execution in the SetupUtility driver on Intel platforms. An attacker can change the values of certain UEFI variables. If the size of the second variable exceeds the size of the first, then the buffer will be overwritten. This issue affects the SetupUtility driver of InsydeH2O.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | kernel | * |
An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. An SMM callout vulnerability in the SMM driver in UsbLegacyControlSmm leads to possible arbitrary code execution in SMM and escalation of privileges. An attacker could overwrite the function pointers in the EFI_BOOT_SERVICES table before the USB SMI handler triggers. (This is not exploitable from code running in the operating system.)
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.2 | HIGH | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | 1.5 | 6.0 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | * |
An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. An SMM memory corruption vulnerability in the FvbServicesRuntimeDxe driver allows an attacker to write fixed or predictable data to SMRAM. Exploiting this issue could lead to escalating privileges to SMM.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.2 | HIGH | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | 1.5 | 6.0 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | * |
An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. The SMI handler for the FwBlockServiceSmm driver uses an untrusted pointer as the location to copy data to an attacker-specified buffer, leading to information disclosure.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.0 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N | 1.5 | 4.0 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | * |
An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. The FwBlockSericceSmm driver does not properly validate input parameters for a software SMI routine, leading to memory corruption of arbitrary addresses including SMRAM, and possible arbitrary code execution.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.2 | HIGH | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | 1.5 | 6.0 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | * |
An issue SMM memory leak vulnerability in SMM driver (SMRAM was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. An attacker can dump SMRAM contents via the software SMI provided by the FvbServicesRuntimeDxe driver to read the contents of SMRAM, leading to information disclosure.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.0 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N | 1.5 | 4.0 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | * |
An stack buffer overflow vulnerability leads to arbitrary code execution issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. If the attacker modifies specific UEFI variables, it can cause a stack overflow, leading to arbitrary code execution. The specific variables are normally locked (read-only) at the OS level and therefore an attack would require direct SPI modification. If an attacker can change the values of at least two variables out of three (SecureBootEnforce, SecureBoot, RestoreBootSettings), it is possible to execute arbitrary code.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | kernel | * |
An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. A stack buffer overflow vulnerability in the MebxConfiguration driver leads to arbitrary code execution. Control of a UEFI variable under the OS can cause this overflow when read by BIOS code.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | kernel | * |
An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. An SMM callout vulnerability in the SMM driver FwBlockServiceSmm, creating SMM, leads to arbitrary code execution. An attacker can replace the pointer to the UEFI boot service GetVariable with a pointer to malware, and then generate a software SMI.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.2 | HIGH | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | 1.5 | 6.0 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | * |
An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. There is an SMM memory corruption vulnerability in the Software SMI handler in the PnpSmm driver.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.2 | HIGH | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | 1.5 | 6.0 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | * |
An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. The CapsuleIFWUSmm driver does not check the return value from a method or function. This can prevent it from detecting unexpected states and conditions.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | kernel | * |
An issue was discovered in IhisiSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. A malicious host OS can invoke an Insyde SMI handler with malformed arguments, resulting in memory corruption in SMM.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | 05.53.01 |
| insyde | insydeh2o | 05.28.03 |
| insyde | insydeh2o | 05.0a.11 |
| insyde | insydeh2o | 05.37.03 |
| insyde | insydeh2o | 05.45.01 |
| insyde | insydeh2o | 05.18.03 |
An issue was discovered in IhisiSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. It is possible to write to an attacker-controlled address. An attacker could invoke an SMI handler with a malformed pointer in RCX that overlaps SMRAM, resulting in SMM memory corruption.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | 05.36.37 |
| insyde | insydeh2o | 05.44.45 |
| insyde | insydeh2o | 05.52.45 |
| insyde | insydeh2o | 05.27.37 |
An issue was discovered in ChipsetSvcSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. There is insufficient input validation in BIOS Guard updates. An attacker can induce memory corruption in SMM by supplying malformed inputs to the BIOS Guard SMI handler.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | 05.43.12.0056 |
| insyde | insydeh2o | 05.42.52.0026 |
| insyde | insydeh2o | 05.43.01.0026 |
| insyde | insydeh2o | 05.44.34.0054 |
| insyde | insydeh2o | 05.44.45.0015 |
| insyde | insydeh2o | 05.44.45.0028 |
An issue was discovered in IhisiSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. IHISI subfunction execution may corrupt SMRAM. An attacker can pass an address in the RCX save state register that overlaps SMRAM, thereby coercing an IHISI subfunction handler to overwrite private SMRAM.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | 05.53.01 |
| insyde | insydeh2o | 05.37.03 |
| insyde | insydeh2o | 05.45.01 |
An issue was discovered in Insyde InsydeH2O with kernel 5.2 through 5.5. The Save State register is not checked before use. The IhisiSmm driver does not check the value of a save state register before use. Due to insufficient input validation, an attacker can corrupt SMRAM.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | * |
An issue was discovered in InsydeH2O. A malicious operating system can tamper with a runtime-writable EFI variable, leading to out-of-bounds memory reads and a denial of service. This is fixed in version 01.01.04.0016.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydecrpkg | * |
An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. Due to insufficient input validation, an attacker can tamper with a runtime-accessible EFI variable to cause a dynamic BAR setting to overlap SMRAM.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | 5.3 |
| insyde | insydeh2o | 5.0 |
| insyde | insydeh2o | 5.5 |
| insyde | insydeh2o | 5.1 |
| insyde | insydeh2o | 5.2 |
| insyde | insydeh2o | 5.4 |
An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. UEFI implementations do not correctly protect and validate information contained in the 'MeSetup' UEFI variable. On some systems, this variable can be overwritten using operating system APIs. Exploitation of this vulnerability could potentially lead to denial of service for the platform.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 1.8 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | 5.3 |
| insyde | insydeh2o | 5.0 |
| insyde | insydeh2o | 5.5 |
| insyde | insydeh2o | 5.1 |
| insyde | insydeh2o | 5.2 |
| insyde | insydeh2o | 5.4 |
An issue was discovered in FvbServicesRuntimeDxe in Insyde InsydeH2O with kernel 5.0 through 5.5. The FvbServicesRuntimeDxe SMM module exposes an SMI handler that allows an attacker to interact with the SPI flash at run-time from the OS.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | kernel | * |
An issue was discovered in TrEEConfigDriver in Insyde InsydeH2O with kernel 5.0 through 5.5. It can report false TPM PCR values, and thus mask malware activity. Devices use Platform Configuration Registers (PCRs) to record information about device and software configuration to ensure that the boot process is secure. (For example, Windows uses these PCR measurements to determine device health.) A vulnerable device can masquerade as a healthy device by extending arbitrary values into Platform Configuration Register (PCR) banks. This requires physical access to a target victim's device, or compromise of user credentials for a device. This issue is similar to CVE-2021-42299 (on Surface Pro devices).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.3 | MEDIUM | CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N | 0.9 | 4.0 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | 5.2 |
| insyde | insydeh2o | * |
An issue was discovered in SysPasswordDxe in Insyde InsydeH2O with kernel 5.0 through 5.5. System password information could optionally be stored in cleartext, which might lead to possible information disclosure.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | 5.3 |
| insyde | insydeh2o | 5.0 |
| insyde | insydeh2o | 5.5 |
| insyde | insydeh2o | 5.1 |
| insyde | insydeh2o | 5.2 |
| insyde | insydeh2o | 5.4 |
An issue was discovered in SystemFirmwareManagementRuntimeDxe in Insyde InsydeH2O with kernel 5.0 through 5.5. The implementation of the GetImage method retrieves the value of a runtime variable named GetImageProgress, and later uses this value as a function pointer. This variable is wiped out by the same module near the end of the function. By setting this UEFI variable from the OS to point into custom code, an attacker could achieve arbitrary code execution in the DXE phase, before several chipset locks are set.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | * |
A stack buffer overflow vulnerability discovered in AsfSecureBootDxe in Insyde InsydeH2O with kernel 5.0 through 5.5 allows attackers to run arbitrary code execution during the DXE phase.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | 05.53.23.0011 |
| insyde | insydeh2o | 05.45.24.0039 |
| insyde | insydeh2o | 05.45.38.0005 |
| insyde | insydeh2o | 05.44.34.0055 |
| insyde | insydeh2o | 05.42.37.0031 |
| insyde | insydeh2o | 05.53.23.0014 |
| insyde | insydeh2o | 05.53.28.0013 |
| insyde | insydeh2o | 05.44.45.0017 |
| insyde | insydeh2o | 05.43.06.0021 |
| insyde | insydeh2o | 05.44.30.0022 |
| insyde | insydeh2o | 05.53.22.0008 |
An SMM memory corruption vulnerability in the SMM driver (SMRAM write) in CsmInt10HookSmm in Insyde InsydeH2O with kernel 5.0 through 5.5 allows attackers to send arbitrary data to SMM which could lead to privilege escalation.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | 5.5.05.53.22 |
| insyde | insydeh2o | 5.6.05.60.22 |
| insyde | insydeh2o | 5.6 |
| insyde | insydeh2o | * |
An issue was discovered in IhisiServicesSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. There are arbitrary calls to SetVariable with unsanitized arguments in the SMI handler.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N | 1.8 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | * |
A LogoFAIL issue was discovered in BmpDecoderDxe in Insyde InsydeH2O with kernel 5.2 before 05.28.47, 5.3 before 05.37.47, 5.4 before 05.45.47, 5.5 before 05.53.47, and 5.6 before 05.60.47 for certain Lenovo devices. Image parsing of crafted BMP logo files can copy data to a specific address during the DXE phase of UEFI execution. This occurs because of an integer signedness error involving PixelHeight and PixelWidth during RLE4/RLE8 compression.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 1.8 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fujitsu | primequest_4400e_firmware | * |
| fujitsu | celsius_w5010_firmware | * |
| fujitsu | primergy_tx1310_m3_firmware | * |
| fujitsu | lifebook_u749_firmware | * |
| fujitsu | esprimo_d9012_firmware | * |
| fujitsu | primergy_rx2540_m4_firmware | * |
| fujitsu | lifebook_u5313x_firmware | * |
| fujitsu | lifebook_u9310x_firmware | * |
| fujitsu | stylistic_q7312_firmware | * |
| fujitsu | primergy_cx2560_m5_firmware | * |
| fujitsu | lifebook_u729x_firmware | * |
| fujitsu | primergy_rx4770_m6_firmware | * |
| fujitsu | lifebook_u7613_firmware | * |
| fujitsu | esprimo_d9010_firmware | * |
| fujitsu | lifebook_u7312_firmware | * |
| fujitsu | lifebook_e549_firmware | * |
| fujitsu | stylistic_q7311_firmware | * |
| fujitsu | esprimo_p9910_firmware | * |
| fujitsu | esprimo_q7010_firmware | * |
| fujitsu | celsius_c780_firmware | * |
| fujitsu | primergy_tx1330_m3_firmware | * |
| fujitsu | esprimo_q957_firmware | * |
| fujitsu | esprimo_k558/24_firmware | * |
| fujitsu | esprimo_p6012_firmware | * |
| fujitsu | esprimo_k557/24_firmware | * |
| fujitsu | primergy_rx1440_m2_firmware | * |
| fujitsu | celsius_w570_firmware | * |
| fujitsu | lifebook_u7512_firmware | * |
| fujitsu | primergy_cx2570_m4_firmware | * |
| fujitsu | celsius_w570power_firmware | * |
| fujitsu | primequest_3800b_firmware | * |
| fujitsu | primergy_bx2560_m2_firmware | * |
| fujitsu | lifebook_e5411_firmware | * |
| fujitsu | esprimo_k5010/24_firmware | * |
| fujitsu | primergy_gx2460_m1_firmware | * |
| fujitsu | primergy_bx2580_m2_firmware | * |
| fujitsu | primergy_rx1330_m5_firmware | * |
| fujitsu | lifebook_e746_firmware | - |
| fujitsu | esprimo_p957_firmware | * |
| fujitsu | lifebook_u7412_firmware | * |
| fujitsu | celsius_w570power+_firmware | * |
| fujitsu | esprimo_p9012_firmware | * |
| fujitsu | lifebook_e5511_firmware | * |
| fujitsu | lifebook_u7313_firmware | * |
| fujitsu | lifebook_u9310_firmware | * |
| fujitsu | primergy_tx1330_m4_firmware | * |
| fujitsu | celsius_w5011_firmware | * |
| fujitsu | lifebook_e746_vpro_firmware | - |
| fujitsu | lifebook_u759_firmware | * |
| fujitsu | esprimo_g9013_firmware | * |
| fujitsu | primergy_rx2530_m6_firmware | * |
| fujitsu | lifebook_u729_firmware | * |
| fujitsu | esprimo_p958_firmware | * |
| fujitsu | primequest_3800e2_firmware | * |
| fujitsu | celsius_m7010power_firmware | * |
| fujitsu | primergy_rx4770_m5_firmware | * |
| fujitsu | lifebook_e5413_firmware | * |
| fujitsu | lifebook_e5412/mtc_firmware | * |
| fujitsu | esprimo_d738_firmware | * |
| fujitsu | primergy_rx4770_m4_firmware | * |
| fujitsu | esprimo_d9011_firmware | * |
| fujitsu | celsius_w5010/l_firmware | * |
| fujitsu | celsius_w5012_firmware | * |
| fujitsu | celsius_m7010xpower_firmware | * |
| fujitsu | primergy_rx2530_m5_firmware | * |
| fujitsu | celsius_j580_firmware | * |
| fujitsu | celsius_r970_firmware | * |
| fujitsu | esprimo_p7013_firmware | * |
| fujitsu | primergy_tx2550_m5_firmware | * |
| fujitsu | lifebook_e736_vpro_firmware | - |
| fujitsu | lifebook_u939x_firmware | * |
| fujitsu | celsius_h7613_firmware | * |
| fujitsu | esprimo_g558_firmware | * |
| fujitsu | celsius_r970bpower_firmware | * |
| fujitsu | lifebook_u9312_firmware | * |
| fujitsu | celsius_m7010_firmware | * |
| fujitsu | esprimo_g9012_firmware | * |
| fujitsu | lifebook_t939_firmware | * |
| fujitsu | primergy_rx2520_m4_firmware | * |
| fujitsu | celsius_r970b_firmware | * |
| fujitsu | lifebook_u9313x_firmware | * |
| fujitsu | celsius_w580power_firmware | * |
| fujitsu | primergy_tx1330_m5_firmware | * |
| fujitsu | esprimo_d7011_firmware | * |
| fujitsu | celsius_m7010x_firmware | * |
| fujitsu | esprimo_p557_firmware | * |
| fujitsu | esprimo_p7011_firmware | * |
| fujitsu | primergy_cx2560_m7_firmware | * |
| fujitsu | primergy_rx1330_m3_firmware | * |
| fujitsu | esprimo_d957_firmware | * |
| fujitsu | esprimo_p9013_firmware | * |
| fujitsu | lifebook_u7413_firmware | * |
| fujitsu | esprimo_d757_firmware | * |
| fujitsu | primequest_3800b2_firmware | * |
| fujitsu | esprimo_d957/e9x+_firmware | * |
| fujitsu | lifebook_e4511_firmware | * |
| fujitsu | celsius_h5511_firmware | * |
| fujitsu | primergy_tx1320_m5_firmware | * |
| fujitsu | esprimo_p5010_firmware | * |
| fujitsu | lifebook_u939_firmware | * |
| fujitsu | esprimo_q958/mre_firmware | * |
| fujitsu | stylistic_q739_firmware | * |
| fujitsu | primergy_rx2450_m1_firmware | * |
| fujitsu | lifebook_u7410_firmware | * |
| fujitsu | esprimo_q957/mre_firmware | * |
| fujitsu | celsius_h980_firmware | - |
| fujitsu | esprimo_q556/2_firmware | * |
| fujitsu | celsius_h7510_firmware | * |
| fujitsu | esprimo_g6012_firmware | * |
| fujitsu | stylistic_q7310_firmware | * |
| fujitsu | celsius_j5010_firmware | * |
| fujitsu | primergy_cx2550_m7_firmware | * |
| fujitsu | primergy_cx2570_m5_firmware | * |
| fujitsu | esprimo_p5011_firmware | * |
| fujitsu | lifebook_e5512_firmware | * |
| fujitsu | celsius_j550/2_firmware | * |
| fujitsu | esprimo_d7010_firmware | * |
| fujitsu | esprimo_p758_firmware | * |
| fujitsu | primergy_rx2540_m6_firmware | * |
| fujitsu | primergy_tx1310_m5_firmware | * |
| fujitsu | primergy_cx2550_m5_firmware | * |
| fujitsu | esprimo_q556/2/d_firmware | * |
| fujitsu | celsius_w580power+_firmware | * |
| fujitsu | primergy_tx1320_m4_firmware | * |
| fujitsu | primergy_cx2560_m6_firmware | * |
| fujitsu | esprimo_q958_firmware | * |
| fujitsu | lifebook_u7511_firmware | * |
| fujitsu | esprimo_d9013_firmware | * |
| fujitsu | stylistic_q5010_firmware | * |
| fujitsu | primergy_cx2550_m6_firmware | * |
| fujitsu | primergy_rx2530_m7_firmware | * |
| fujitsu | primergy_rx2530_m4_firmware | * |
| fujitsu | esprimo_g9010_firmware | * |
| fujitsu | esprimo_d7013_firmware | * |
| fujitsu | stylistic_q509_firmware | * |
| fujitsu | esprimo_q558_firmware | * |
| fujitsu | primequest_3800e_firmware | * |
| fujitsu | primergy_rx8770_m7_firmware | * |
| fujitsu | celsius_w5012-ll_firmware | * |
| fujitsu | lifebook_e5513_firmware | * |
| fujitsu | primergy_cx2560_m4_firmware | * |
| fujitsu | lifebook_e559_firmware | * |
| fujitsu | lifebook_a3511_firmware | - |
| fujitsu | lifebook_u7311_firmware | * |
| fujitsu | esprimo_d7012_firmware | * |
| fujitsu | lifebook_u7310_firmware | * |
| fujitsu | esprimo_p9011_firmware | * |
| fujitsu | primergy_tx1320_m3_firmware | * |
| fujitsu | celsius_h780_firmware | * |
| fujitsu | primergy_gx2560_m7_firmware | * |
| fujitsu | lifebook_u7510_firmware | * |
| fujitsu | esprimo_d6011_firmware | * |
| fujitsu | esprimo_d7010/8_firmware | * |
| fujitsu | primergy_rx4770_m3_firmware | * |
| fujitsu | esprimo_d556/2_firmware | * |
| fujitsu | primergy_cx2550_m4_firmware | * |
| fujitsu | lifebook_e5412_firmware | * |
| fujitsu | primergy_rx1330_m4_firmware | * |
| fujitsu | lifebook_u9413_firmware | * |
| fujitsu | lifebook_e736_firmware | - |
| fujitsu | esprimo_g5010_firmware | * |
| fujitsu | esprimo_d958_firmware | * |
| fujitsu | primergy_rx2450_m2_firmware | * |
| fujitsu | esprimo_p7010_firmware | * |
| fujitsu | esprimo_d6012_firmware | * |
| fujitsu | esprimo_p757_firmware | * |
| fujitsu | primergy_rx2520_m5_firmware | * |
| insyde | insydeh2o | * |
| fujitsu | primergy_tx2550_m7_firmware | * |
| fujitsu | lifebook_u9312x_firmware | * |
| fujitsu | primergy_rx4770_m7_firmware | * |
| fujitsu | primergy_rx2540_m5_firmware | * |
| fujitsu | esprimo_p958/power_firmware | * |
| fujitsu | esprimo_p558/power_firmware | * |
| fujitsu | esprimo_p9010_firmware | * |
| fujitsu | celsius_w580_firmware | * |
| fujitsu | lifebook_e5510_firmware | * |
| fujitsu | primergy_rx2540_m7_firmware | * |
| fujitsu | lifebook_e4411_firmware | * |
| fujitsu | esprimo_g5011_firmware | * |
| fujitsu | primergy_tx2550_m4_firmware | * |
| fujitsu | lifebook_e5410_firmware | * |
| fujitsu | lifebook_u7411_firmware | * |
| fujitsu | esprimo_p7012_firmware | * |
| fujitsu | lifebook_a3510_firmware | * |
| fujitsu | lifebook_u9311_firmware | * |
| fujitsu | primergy_gx2570_m6_firmware | * |
An issue was discovered in PnpSmm in Insyde InsydeH2O with kernel 5.0 through 5.6. There is a possible out-of-bounds access in the SMM communication buffer, leading to tampering. The PNP-related SMI sub-functions do not verify data size before getting it from the communication buffer, which could lead to possible circumstances where the data immediately following the command buffer could be destroyed with a fixed value. This is fixed in kernel 5.2 v05.28.45, kernel 5.3 v05.37.45, kernel 5.4 v05.45.45, kernel 5.5 v05.53.45, and kernel 5.6 v05.60.45.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | kernel | * |
A memory corruption vulnerability in StorageSecurityCommandDxe in Insyde InsydeH2O before kernel 5.2: IB19130163 in 05.29.07, kernel 5.3: IB19130163 in 05.38.07, kernel 5.4: IB19130163 in 05.46.07, kernel 5.5: IB19130163 in 05.54.07, and kernel 5.6: IB19130163 in 05.61.07 could lead to escalating privileges in SMM.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | kernel | * |
A memory corruption vulnerability in HddPassword in Insyde InsydeH2O kernel 5.2 before 05.29.09, kernel 5.3 before 05.38.09, kernel 5.4 before 05.46.09, kernel 5.5 before 05.54.09, and kernel 5.6 before 05.61.09 could lead to escalating privileges in SMM.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | * |
An issue was discovered in AcpiS3SaveDxe and ChipsetSvcDxe in Insyde InsydeH2O with kernel 5.2 though 5.7. A potential DXE memory corruption vulnerability has been identified. The root cause is use of a pointer originating from the value of an NVRAM variable as the target of a write operation. This can be leveraged by an attacker to perform arbitrary writes, potentially leading to arbitrary code execution. The issue has been fixed in kernel 5.2, Version 05.29.44; kernel 5.3, Version 05.38.44; kernel 5.4, Version 05.46.44; kernel 5.5, Version 05.54.44; kernel 5.6, Version 05.61.44; and kernel 5.7, Version 05.70.44.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 6.4 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N | 1.2 | 5.2 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | kernel | 5.5 |
| insyde | kernel | 5.3 |
| insyde | kernel | 5.4 |
| insyde | kernel | 5.6 |
| insyde | kernel | 5.2 |
| insyde | kernel | 5.7 |
An issue was discovered in Insyde InsydeH2O kernel 5.2 before version 05.29.50, kernel 5.3 before version 05.38.50, kernel 5.4 before version 05.46.50, kernel 5.5 before version 05.54.50, kernel 5.6 before version 05.61.50, and kernel 5.7 before version 05.70.50. In VariableRuntimeDxe driver, callback function SmmCreateVariableLockList () calls CreateVariableLockListInSmm (). In CreateVariableLockListInSmm (), it uses StrSize () to get variable name size and it could lead to a buffer over-read.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | * |
An issue was discovered in Insyde InsydeH2O kernel 5.2 before version 05.29.50, kernel 5.3 before version 05.38.50, kernel 5.4 before version 05.46.50, kernel 5.5 before version 05.54.50, kernel 5.6 before version 05.61.50, and kernel 5.7 before version 05.70.50. In VariableRuntimeDxe driver, VariableServicesSetVariable () can be called by gRT_>SetVariable () or the SmmSetSensitiveVariable () or SmmInternalSetVariable () from SMM. In VariableServicesSetVariable (), it uses StrSize () to get variable name size, uses StrLen () to get variable name length and uses StrCmp () to compare strings. These actions may cause a buffer over-read.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | * |
An issue was discovered in Insyde InsydeH2O kernel 5.2 before version 05.29.50, kernel 5.3 before version 05.38.50, kernel 5.4 before version 05.46.50, kernel 5.5 before version 05.54.50, kernel 5.6 before version 05.61.50, and kernel 5.7 before version 05.70.50. In VariableRuntimeDxe driver, SmmUpdateVariablePropertySmi () is a SMM callback function and it uses StrCmp () to compare variable names. This action may cause a buffer over-read.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | * |
An issue was discovered in Insyde InsydeH2O kernel 5.2 before version 05.29.50, kernel 5.3 before version 05.38.50, kernel 5.4 before version 05.46.50, kernel 5.5 before version 05.54.50, kernel 5.6 before version 05.61.50, and kernel 5.7 before version 05.70.50. In VariableRuntimeDxe driver, SecureBootHandler uses DataSize and VariableNameSize when determining if the data or name are in the buffer, but these are supplied by the caller and therefore cannot be trusted.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 7.9 | HIGH | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N | 1.5 | 5.8 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | kernel | * |
Improper input validation was discovered in UsbCoreDxe in Insyde InsydeH2O kernel 5.4 before 05.47.01, 5.5 before 05.55.01, 5.6 before 05.62.01, and 5.7 before 05.71.01. The SMM module has an SMM call out vulnerability which can be used to write arbitrary memory inside SMRAM and execute arbitrary code at SMM level.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| cve@mitre.org | 7.5 | HIGH | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H | 0.8 | 6.0 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| insyde | insydeh2o | * |