Insyde Security Advisory 2023054

Insyde ID Advisory Category Impact of Vulnerability Severity Rating Original Date Last Revised
INSYDE-SA-2023054 Software CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N 4.1 10/31/2023 10/31/2023

Summary:

AsfSecureBootDxe: Stack buffer overflow vulnerability leading to arbitrary code execution during DXE phase.

Vulnerability Details:

CVE-2023-39281
BRLY-2023-002

Stack buffer overflow vulnerability that allows an attacker to execute arbitrary code.

Solution Information:

Intel Mobile Platforms
Raptor Lake: Version 05.45.24.0039
Alder Lake N: Version 05.44.45.0017
Alder Lake: Version 05.44.34.0055

AMD Mobile Platforms
Phoenix FP7_FP8 / Hawk Point 5.5: Version 05.53.28.0013
Dragon Range: Version 05.53.23.0011
Mendocino: Version 05.53.23.0014
Raphael: Version 05.53.22.0008
Rembrandt: Version: 05.44.30.0022
VanGogh: Tag 05.43.06.0021
Barcelo/Cezanne/Lucienne: Version 05.42.37.0031

Intel Embedded/Server Platforms
Mehlow/Mehlow-R(CFL-S): Trunk
Tatlow (RKS): Trunk
TigerLake UP3/H: Trunk
AlderLake: Trunk
Raptor Lake: Trunk
Alder Lake N: Version 05.45.38.0005

Acknowledgements:

Thanks to the BINARLY efiXplorer team, 3rd party researchers, for reporting the vulnerability and engaging in this coordinated disclosure.

Revision History:

Revision Date Description
1.0 10/31/2023 Initial Release
-- -- --

Return to Insyde's Security Pledge