Insyde Security Advisory 2023036

Insyde ID Advisory Category Impact of Vulnerability Severity Rating Original Date Last Revised
INSYDE-SA-2023036 Software CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H 4.1 08/08/2023 08/08/2023


MeSetup UEFI variable may be overwritten and causes DOS attacks.

Vulnerability Details:


UEFI implementations do not correctly protect and validate information contained in the 'MeSetup' UEFI variable. On some systems, this variable can be overwritten using operating system APIs. Exploitation of this vulnerability could potentially lead to denial of service for the platform.

Solution Information:
Intel Mobile Platforms:
Raptor Lake: Version
Raptor Lake: Version
Alder Lake-N: Version
Alder Lake: Version
Rocket Lake: Version
Tiger Lake: Version

Intel Server/Embedded Platforms:
ElkhartLake: Version
Alder Lake-N: Version

AMD Platforms: Unaffected.


Thanks to Sung-Min Kim, Jae-Min Kim, Chan-Ho Kim, Sang-Hyeon Park and Gwi-Hyeon Yang, 3rd party
researchers, for reporting the vulnerability and engaging in this coordinated disclosure.

Revision History:

Revision Date Description
1.0 08/08/2023 Initial Release
-- -- --

Return to Insyde's Security Pledge