Insyde Security Advisory 2023040

Insyde ID Advisory Category Impact of Vulnerability Severity Rating Original Date Last Revised
INSYDE-SA-2023040 Software CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:L 6.1 03/12/2024 03/12/2024

Summary:

IhisiServiceSmm: A vulnerability in the module that could allow an attacker to modify UEFI variables.

Vulnerability Details:

  1. CVE-2023-28149: A vulnerability in the IhisiServiceSmm module that could allow an attacker to modify UEFI variables.
    CVSS: 6.1
    CVSS Vector String: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:L
  2. Solution Information:
    kernel 5.2: Version in 05.28.42
    kernel 5.3: Version in 05.37.42
    kernel 5.4: Version in 05.45.39
    kernel 5.5: Version in 05.53.39
    kernel 5.6: Version in 05.60.39

    Tool accommodation:

    1. H2OFFT:
      For Client platforms
      Win Package: 3.00.21.00 (Tool: v6.60 or newer)
      Shell Package: 3.00.11.00 (Tool: v2.31 or newer)
      For Server/Embedded platforms
      Windows: v200.02.00.08 or newer
      Shell: v200.02.00.08 or newer
      Linux: v200.02.00.08 or newer
    2. H2OUVE
      Windows: 200.02.00.13 or newer
      Shell: 200.02.00.13 or newer
      Linux: 200.02.00.13 or newer
    3. H2OOAE
      Windows: v200.02.00.03 or newer
      Shell: v200.02.00.03 or newer
      Linux: v200.02.00.03 or newer

    Revision History:

    Revision Date Description
    1.0 03/12/2024 Initial Release
    - - -

    Return to Insyde's Security Pledge