Insyde Security Advisory 2024001

Insyde ID Advisory Category Impact of Vulnerability Severity Rating Original Date Last Revised
INSYDE-SA-2024001 Software CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L 7.4 05/13/2024 05/13/2024

Summary:

SMM memory corruption vulnerability could lead to escalating privileges in SMM. (CWE-822)

Vulnerability Details:

CVE-2024-25078:
CVSS: 7.4
CVSS Vector String: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L
StorageSecurityCommandDxe: SMM memory corruption vulnerability could lead to escalating privileges in SMM.

CVE-2024-25079:
CVSS: 7.4
CVSS Vector String: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L
HddPassword: SMM memory corruption vulnerability could lead to escalating privileges to SMM.

CVE-2024-27353:
CVSS: 7.4
CVSS Vector String: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L
SdHost / SdMmcDevice: SMM memory corruption vulnerability could lead to escalating privileges in SMM.

Solution Information:

CVE-2024-25078
kernel 5.2: Version in 05.29.07
kernel 5.3: Version in 05.38.07
kernel 5.4: Version in 05.46.07
kernel 5.5: Version in 05.54.07
kernel 5.6: Version in 05.61.07

CVE-2024-25079, CVE-2024-27353
kernel 5.2: Version in 05.29.09
kernel 5.3: Version in 05.38.09
kernel 5.4: Version in 05.46.09
kernel 5.5: Version in 05.54.09
kernel 5.6: Version in 05.61.09

Acknowledgements:

Thanks to the BINARLY efiXplorer team, 3rd party researchers, for reporting the vulnerability and engaging in this coordinated disclosure. (CVE-2024-25078 & CVE-2024-25079)

Revision History:

Revision Date Description
1.0 05/13/2024 Initial Release
- - -

Return to Insyde's Security Pledge