Insyde's Security Pledge
Insyde Security Advisory 2023039
| Insyde ID | Advisory Category | Impact of Vulnerability | Severity Rating | Original Date | Last Revised |
| INSYDE-SA-2023039 | Software | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:L | 6.1 | 07/11/2023 | 07/11/2023 |
Summary:
FvbServicesRuntimeDxe: Exposes an SMI handler that allows an attacker to interact with the SPI flash.
Vulnerability Details
The FvbServicesRuntimeDxe SMM module exposes an SMI handler that allows an attacker to interact with the SPI flash at run-time from the OS.
Solution Information:
kernel 5.2: Version 05.28.23
kernel 5.3: Version 05.37.23
kernel 5.4: Version 05.45.23
kernel 5.5: Version 05.53.23
Acknowledgements
Thanks to 3rd party researchers, Enrique Nissim, Krzysztof Okupski and Joseph Tartaro from IOActive Inc. for reporting the vulnerability and engaging in this coordinated disclosure.
Revision History:
| Revision | Date | Description |
| 1.0 | 07/11/2023 | Initial Release |
| -- | -- | -- |