Insyde's Security Pledge
Insyde Software Security Advisory
|Insyde ID||Advisory Category||Impact of Vulnerability||Severity Rating||Original Date||Last Revised|
|INSYDE-SA-2021001||Software||Escalation of Privilege, Information Disclosure||SERIOUS||06/14/2021||07/02/2021|
A potential security vulnerability in the handler for IDE devices may allow escalation of privilege, or information disclosure. Insyde has released firmware updates to mitigate this potential vulnerability.
Description: Improper usage of Insyde firmware’s SMM services may allow a privileged user to gain escalated privileges or access to privileged information via local access.
CVSS Base Score: 7.2 Serious
CWE-829: Inclusion of Functionality from Untrusted Control Sphere
Affected Insyde Products:
- InsydeH2O versions 5.4 before version 5.42.44 (with no IDE controller) or 5.43.25 (with IDE controller)
- InsydeH2O versions 5.3 before version 5.34.44 (with no IDE controller) or 5.35.25 (with IDE controller)
- InsydeH2O versions 5.2 before version 5.25.44 (with no IDE controller) or 5.26.25 (with IDE controller)
- InsydeH2O versions 5.1 before version 5.16.25 (with or without IDE controller)
- Contact Insyde Software for an updated version of the affected products
- Insyde Software recommends that users contact hardware manufacturers to get updated version of the BIOS flash package.
Insyde would like to thank security researcher Evgenii Rasskazov for reporting this issue.
|1.1||02-July-2021||Corrected CVE Link/Date|