Insyde's Security Pledge
Insyde Software Security Advisory
Insyde ID | Advisory Category | Impact of Vulnerability | Severity Rating | Original Date | Last Revised |
INSYDE-SA-2021001 | Software | Escalation of Privilege, Information Disclosure | 7.2 | 06/14/2021 | 12/28/2021 |
Summary:
A potential security vulnerability in the handler for IDE devices may allow escalation of privilege, or information disclosure. Insyde has released firmware updates to mitigate this potential vulnerability.
Vulnerability Details
Description: Improper usage of Insyde firmware’s SMM services may allow a privileged user to gain escalated privileges or access to privileged information via local access.
CVSS Base Score: 7.2 Serious
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N
CWE-829: Inclusion of Functionality from Untrusted Control Sphere
Affected Insyde Products:
- InsydeH2O versions 5.4 before version 5.42.44 (with no IDE controller) or 5.43.25 (with IDE controller)
- InsydeH2O versions 5.3 before version 5.34.44 (with no IDE controller) or 5.35.25 (with IDE controller)
- InsydeH2O versions 5.2 before version 5.25.44 (with no IDE controller) or 5.26.25 (with IDE controller)
- InsydeH2O versions 5.1 before version 5.16.25 (with or without IDE controller)
Recommendations:
- Contact Insyde Software for an updated version of the affected products
- Insyde Software recommends that users contact hardware manufacturers to get updated version of the BIOS flash package.
Acknowledgements:
Insyde would like to thank security researcher Evgenii Rasskazov for reporting this issue.
Revision History:
Revision | Date | Description |
1.0 | 15-June-2021 | Initial Release |
1.1 | 02-July-2021 | Corrected CVE Link/Date |
1.2 | 29-November-2021 | Updated CVE Description |
1.3 | 28-December-2021 | Corrected Updated Description |