Insyde Software Security Advisory

Insyde ID Advisory Category Impact of Vulnerability Severity Rating Original Date Last Revised
INSYDE-SA-2021001 Software Escalation of Privilege, Information Disclosure SERIOUS 06/14/2021 07/02/2021

Summary:

A potential security vulnerability in the handler for IDE devices may allow escalation of privilege, or information disclosure. Insyde has released firmware updates to mitigate this potential vulnerability.

Vulnerability Details

CVE-2020-27339

Description: Improper usage of Insyde firmware’s SMM services may allow a privileged user to gain escalated privileges or access to privileged information via local access.

CVSS Base Score: 7.2 Serious

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N

CWE-829: Inclusion of Functionality from Untrusted Control Sphere

Affected Insyde Products:

  • InsydeH2O versions 5.4 before version 5.42.44 (with no IDE controller) or 5.43.25 (with IDE controller)
  • InsydeH2O versions 5.3 before version 5.34.44 (with no IDE controller) or 5.35.25 (with IDE controller)
  • InsydeH2O versions 5.2 before version 5.25.44 (with no IDE controller) or 5.26.25 (with IDE controller)
  • InsydeH2O versions 5.1 before version 5.16.25 (with or without IDE controller)

Recommendations:

  • Contact Insyde Software for an updated version of the affected products
  • Insyde Software recommends that users contact hardware manufacturers to get updated version of the BIOS flash package.

Acknowledgements:

Insyde would like to thank security researcher Evgenii Rasskazov for reporting this issue.

Revision History:

Revision Date Description
1.0 15-June-2021 Initial Release
1.1 02-July-2021 Corrected CVE Link/Date

Return to Insyde's Security Pledge