Insyde Security Advisory 2022036

Insyde ID Advisory Category Impact of Vulnerability Severity Rating Original Date Last Revised
INSYDE-SA-2022036 Software CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N 5.6 09/30/2022 09/30/2022

Summary:

Side-channel analysis may allow unauthorized disclosure of information

Vulnerability Details

CVE-2017-5715

Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
The original disclosure also describes issues that affect SMM when resuming to normal mode.

This issue is fixed in InsydeH2O, versions:

Kernel 5.0, unknown (End of Support)
Kernel 5.1, unknown (End of Support)
Kernel 5.2, version 05.23.47
Kernel 5.3, version 05.32.47
Kernel 5.4, version 05.40.47
Kernel 5.5, unaffected

Acknowledgements

This issue was described by the Binarly efiXplorer team (https://www.binarly.io/advisories/BRLY-2022-028)

Revision History:

Revision Date Description
1.0 09/30/2022 Initial Release
- - -

Return to Insyde's Security Pledge