Insyde Security Advisory 2023053

Insyde ID Advisory Category Impact of Vulnerability Severity Rating Original Date Last Revised
INSYDE-SA-2023053 Software Local: 6.1 (Medium), CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:L
Physical: 5.5 (Medium), CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:L
5.5~6.1 12/06/2023 12/25/2023

Summary:

Improper input validation may be exploited via local access.

Vulnerability Details:

CVE-2023-40238
BRLY-2023-006

This vulnerability is also known as LogoFAIL. An attacker with write access to the ESP of the victim device can exploit by storing a maliciously crafted logo image.

There is a separate level of vulnerability for physical attacks and have provided a separate score for a physical attack.

Solution Information:
kernel 5.2: Version 05.28.47
kernel 5.3: Version 05.37.47
kernel 5.4: Version 05.45.47
kernel 5.5: Version 05.53.47
kernel 5.6: Version 05.60.47

Acknowledgements:

Thanks to the BINARLY efiXplorer team, 3rd party researchers, for reporting the vulnerability and engaging in this coordinated disclosure.

Revision History:

Revision Date Description
1.0 12/06/2023 Initial Release
1.1 12/25/2023 Updated CVSS and clarified method of attacks.

Return to Insyde's Security Pledge