Insyde's Security Pledge
Recent Security Advisories
INSYDE-SA-2023053
Product
CVSS Score
Original Date
Last Revised
InsydeH2O
5.5~6.1
2023-12-06
2023-12-25
Summary
Improper input validation may be exploited via local access.
Vulnerability Details
CVSS Vector: Local: 6.1 (Medium): CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:L, Physical: 5.5 (Medium): CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:L
CVE-2023-40238
BRLY-2023-006
This vulnerability is also known as LogoFAIL. An attacker with write access to the ESP of the victim device can exploit by storing a maliciously crafted logo image.
There is a separate level of vulnerability for physical attacks and have provided a separate score for a physical attack.
Solution Information
kernel 5.2: Version 05.28.47
kernel 5.3: Version 05.37.47
kernel 5.4: Version 05.45.47
kernel 5.5: Version 05.53.47
kernel 5.6: Version 05.60.47
Acknowledgements
Thanks to the BINARLY efiXplorer team, 3rd party researchers, for reporting the vulnerability and engaging in this coordinated disclosure.
Revision History
Revision #
Date
Description
1
2023-12-06
Initial Release
1.1
2023-12-25
Updated CVSS and clarified method of attacks.