Insyde's Security Pledge
Insyde Security Advisory 2022037
Insyde ID | Advisory Category | Impact of Vulnerability | Severity Rating | Original Date | Last Revised |
INSYDE-SA-2022037 | Software | CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N | 8.2 | 09/30/2022 | 09/30/2022 |
Summary:
Signed third party UEFI bootloaders are vulnerable to Secure Boot bypass
Vulnerability Details
VU#309662
New Horizon Datasys Inc (CVE-2022-34302)
UEFI Shell execution to bypass Secure Boot
CryptoPro Secure Disk (CVE-2022-34301)
Eurosoft (UK) Ltd (CVE-2022-34303)
A security feature bypass vulnerability exists in signed 3rd party UEFI bootloaders that allows bypass of the UEFI Secure Boot feature. An attacker who successfully exploits this vulnerability can bypass the UEFI Secure Boot feature and execute unsigned code during the boot process.
These boot loaders are blocked from execution in InsydeH2O, versions:
kernel 5.0, unknown (End of Support)
kernel 5.1, unknown (End of Support)
kernel 5.2, version 05.27.34
kernel 5.3, version 05.36.34
kernel 5.4, version 05.44.34
kernel 5.5, version 05.52.34
Acknowledgements
This issue was reported to Microsoft by Eclypsium.
Revision History:
Revision | Date | Description |
1.0 | 09/30/2022 | Initial Release |
- | - | - |