Insyde Security Advisory 2023036

Insyde ID Advisory Category Impact of Vulnerability Severity Rating Original Date Last Revised
INSYDE-SA-2023036 Software CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H 4.1 08/08/2023 08/08/2023

Summary:

MeSetup UEFI variable may be overwritten and causes DOS attacks.

Vulnerability Details:

CVE-2023-27471

UEFI implementations do not correctly protect and validate information contained in the 'MeSetup' UEFI variable. On some systems, this variable can be overwritten using operating system APIs. Exploitation of this vulnerability could potentially lead to denial of service for the platform.

Solution Information:
Intel Mobile Platforms:
Raptor Lake: Version 05.45.11.0033
Raptor Lake: Version 05.45.11.0033
Alder Lake-N: Version 05.44.45.0016
Alder Lake: Version 05.44.34.0055
Rocket Lake: Version 05.42.52.0028
Tiger Lake: Version 05.43.12.0057

Intel Server/Embedded Platforms:
ElkhartLake: Version 05.45.07.0020
Alder Lake-N: Version 05.45.07.0003

AMD Platforms: Unaffected.

Acknowledgements:

Thanks to Sung-Min Kim, Jae-Min Kim, Chan-Ho Kim, Sang-Hyeon Park and Gwi-Hyeon Yang, 3rd party
researchers, for reporting the vulnerability and engaging in this coordinated disclosure.

Revision History:

Revision Date Description
1.0 08/08/2023 Initial Release
-- -- --

Return to Insyde's Security Pledge