Insyde's Security Pledge

Recent Security Advisories

INSYDE-SA-2023036

Product

CVSS Score

Original Date

Last Revised

InsydeH2O

4.1

2023-08-08

Summary

MeSetup UEFI variable may be overwritten and causes DOS attacks.

Vulnerability Details

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H

CVE-2023-27471

UEFI implementations do not correctly protect and validate information contained in the ‘MeSetup’ UEFI variable. On some systems, this variable can be overwritten using operating system APIs. Exploitation of this vulnerability could potentially lead to denial of service for the platform.

Solution Information

Intel Mobile Platforms:
Raptor Lake: Version 05.45.11.0033
Raptor Lake: Version 05.45.11.0033
Alder Lake-N: Version 05.44.45.0016
Alder Lake: Version 05.44.34.0055
Rocket Lake: Version 05.42.52.0028
Tiger Lake: Version 05.43.12.0057

Intel Server/Embedded Platforms:
ElkhartLake: Version 05.45.07.0020
Alder Lake-N: Version 05.45.07.0003

AMD Platforms:
Unaffected.

Acknowledgements

Revision History

Revision #

Date

Description

1

2023-08-08

Initial Release