Insyde's Security Pledge
Insyde Software Tool Security Advisory
|Insyde ID||Advisory Category||Impact of Vulnerability||Severity Rating||Original Date||Last Revised|
|INSYDE-SA-2019001||Software||Escalation of Privilege, Information Disclosure||MEDIUM||08/12/2019||09/04/2019|
A potential security vulnerability in the Insyde software tools may allow escalation of privilege, or information disclosure. Insyde is releasing software updates to mitigate this potential vulnerability.
Description: Improper access control in the Insyde software tools may allow an authenticated user to potentially enable escalation of privilege, or information disclosure via local access. This is a software vulnerability, not a BIOS issue.
CVSS Base Score: 6.9 Medium
CVSS Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C/CR:L
Affected Insyde Tools:
- H2OFFT version 3.02~5.28, 100.00.00.00~100.00.08.23, 200.00.00.01~200.00.00.05
- H2OOAE before version 200.00.00.02
- H2OSDE before version 200.00.00.07
- H2OUVE before version 200.00.02.02
- H2OPCM before version 100.00.06.00
- H2OELV before version 100.00.02.08
- Insyde Software has released new version of software tools to hardware manufacturers to mitigate this potential vulnerability.
- Insyde Software recommends that users contact hardware manufacturers to get updated version of BIOS flash package.
Insyde would like to thank Mickey Shkatov and Jesse Michael from Eclypsium for reporting this issue and working with us on coordinated disclosure.
|1.1||04-September-2019||Update Tool Release Status|