Insyde's Security Pledge

Recent Security Advisories

INSYDE-SA-2021001

Product

CVSS Score

Original Date

Last Revised

InsydeH2O

7.2

2021-06-14

Summary

A potential security vulnerability in the handler for IDE devices may allow escalation of privilege, or information disclosure. Insyde has released firmware updates to mitigate this potential vulnerability.

Vulnerability Details

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N

CVE-2020-27339

Description: Improper usage of Insyde firmware’s SMM services may allow a privileged user to gain escalated privileges or access to privileged information via local access.

CWE-829: Inclusion of Functionality from Untrusted Control Sphere

Solution Information

InsydeH2O versions 5.4 before version 5.42.44 (with no IDE controller) or 5.43.25 (with IDE controller)
InsydeH2O versions 5.3 before version 5.34.44 (with no IDE controller) or 5.35.25 (with IDE controller)
InsydeH2O versions 5.2 before version 5.25.44 (with no IDE controller) or 5.26.25 (with IDE controller)
InsydeH2O versions 5.1 before version 5.16.25 (with or without IDE controller)

Recommendations:

Contact Insyde Software for an updated version of the affected products
Insyde Software recommends that users contact hardware manufacturers to get updated version of the BIOS flash package.

Acknowledgements

Insyde would like to thank security researcher Evgenii Rasskazov for reporting this issue.

Revision History

Revision #

Date

Description

2021-06-14

Initial Release

< Back to Security Pledge