Insyde's Security Pledge

Recent Security Advisories

INSYDE-SA-2023053

Product

CVSS Score

Original Date

Last Revised

InsydeH2O

5.5~6.1

2023-12-06

2023-12-25

Summary

Improper input validation may be exploited via local access.

Vulnerability Details

CVSS Vector: Local: 6.1 (Medium): CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:L, Physical: 5.5 (Medium): CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:L

CVE-2023-40238
BRLY-2023-006

This vulnerability is also known as LogoFAIL. An attacker with write access to the ESP of the victim device can exploit by storing a maliciously crafted logo image.

There is a separate level of vulnerability for physical attacks and have provided a separate score for a physical attack.

Solution Information

kernel 5.2: Version 05.28.47
kernel 5.3: Version 05.37.47
kernel 5.4: Version 05.45.47
kernel 5.5: Version 05.53.47
kernel 5.6: Version 05.60.47

Acknowledgements

Thanks to the BINARLY efiXplorer team, 3rd party researchers, for reporting the vulnerability and engaging in this coordinated disclosure.

Revision History

Revision #

Date

Description

1

2023-12-06

Initial Release

1.1

2023-12-25

Updated CVSS and clarified method of attacks.