Insyde's Security Pledge
Insyde Security Advisory 2024001
Insyde ID | Advisory Category | Impact of Vulnerability | Severity Rating | Original Date | Last Revised |
INSYDE-SA-2024001 | Software | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L | 7.4 | 05/13/2024 | 05/13/2024 |
Summary:
SMM memory corruption vulnerability could lead to escalating privileges in SMM. (CWE-822)
Vulnerability Details:
CVE-2024-25078:
CVSS: 7.4
CVSS Vector String: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L
StorageSecurityCommandDxe: SMM memory corruption vulnerability could lead to escalating privileges in SMM.
CVE-2024-25079:
CVSS: 7.4
CVSS Vector String: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L
HddPassword: SMM memory corruption vulnerability could lead to escalating privileges to SMM.
CVE-2024-27353:
CVSS: 7.4
CVSS Vector String: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L
SdHost / SdMmcDevice: SMM memory corruption vulnerability could lead to escalating privileges in SMM.
Solution Information:
CVE-2024-25078
kernel 5.2: Version in 05.29.07
kernel 5.3: Version in 05.38.07
kernel 5.4: Version in 05.46.07
kernel 5.5: Version in 05.54.07
kernel 5.6: Version in 05.61.07
CVE-2024-25079, CVE-2024-27353
kernel 5.2: Version in 05.29.09
kernel 5.3: Version in 05.38.09
kernel 5.4: Version in 05.46.09
kernel 5.5: Version in 05.54.09
kernel 5.6: Version in 05.61.09
Acknowledgements:
Thanks to the BINARLY efiXplorer team, 3rd party researchers, for reporting the vulnerability and engaging in this coordinated disclosure. (CVE-2024-25078 & CVE-2024-25079)
Revision History:
Revision | Date | Description |
1.0 | 05/13/2024 | Initial Release |
- | - | - |