Insyde's Security Pledge
Insyde Security Advisory 2023053
Insyde ID | Advisory Category | Impact of Vulnerability | Severity Rating | Original Date | Last Revised |
INSYDE-SA-2023053 | Software | Local: 6.1 (Medium), CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:L Physical: 5.5 (Medium), CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:L |
5.5~6.1 | 12/06/2023 | 12/25/2023 |
Summary:
Improper input validation may be exploited via local access.
Vulnerability Details:
CVE-2023-40238
BRLY-2023-006
This vulnerability is also known as LogoFAIL. An attacker with write access to the ESP of the victim device can exploit by storing a maliciously crafted logo image.
There is a separate level of vulnerability for physical attacks and have provided a separate score for a physical attack.
Solution Information:
kernel 5.2: Version 05.28.47
kernel 5.3: Version 05.37.47
kernel 5.4: Version 05.45.47
kernel 5.5: Version 05.53.47
kernel 5.6: Version 05.60.47
Acknowledgements:
Thanks to the BINARLY efiXplorer team, 3rd party researchers, for reporting the vulnerability and engaging in this coordinated disclosure.
Revision History:
Revision | Date | Description |
1.0 | 12/06/2023 | Initial Release |
1.1 | 12/25/2023 | Updated CVSS and clarified method of attacks. |