Insyde Security Advisory 2023022

Insyde ID	Advisory Category	Impact of Vulnerability	Severity Rating	Original Date	Last Revised
INSYDE-SA-2023022	Software	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:L	6.4	04/10/2023	04/10/2023

Summary:

IhisiServicesSmm: Save State Register Not Checked Before Use

Vulnerability Details

CVE-2023-22616

Due to insufficient input validation, an attacker can corrupt SMRAM.

Intel Mobile platforms:

RPL: Version 05.44.20.0010
ADL-N: Version 05.44.23.0011
ADL: Version 05.44.20.0045
RKL: Version 05.42.52.0024
TGL: Version 05.43.12.0056
JSL: Version 05.43.01.0025

Intel Server/Embedded platforms:

Mehlow/Mehlow-R(CFL-S) : Version 05.23.04.0050
Tatlow (RKS) :Version 05.42.52.0024
WhiskeyLake : Version 05.23.45.0028
CometLake-S : Version 05.34.19.0044
TigerLake UP3/H : Version 05.43.12.0052
AlderLake : Version 05.44.23.0047
ElkhartLake : Version 05.44.30.0018
Alder Lake N : Version 05.44.34.0001

AMD platforms:

ROME : Trunk
MILAN : Version 05.37.03.0020
GENOA : Master
Ryzen 5000 : IB20080004 @ Trunk
EmbROME : IB06170334 @ Trunk
EmbMILAN : IB06170335 @ Trunk

Acknowledgements

Insyde Software would like to thank Jeremy Boone (@uffeux) of the NCC Group for reporting the vulnerability and engaging in this coordinated disclosure.

Revision History:

Revision	Date	Description
1.0	04/10/2023	Initial Release
--	--	--

Return to Insyde's Security Pledge

Insyde's Security Pledge