Insyde's Security Pledge

A potential security vulnerability in the Insyde software tools may allow escalation of privilege, or information disclosure. Insyde is releasing software updates to mitigate this potential vulnerability.

CVSS Vector: AV:P/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C/CR:L

CVEID: CVE-2019-12532

Description: Improper access control in the Insyde software tools may allow an authenticated user to potentially enable escalation of privilege, or information disclosure via local access. This is a software vulnerability, not a BIOS issue.

• H2OFFT version 3.02~5.28, 100.00.00.00~100.00.08.23, 200.00.00.01~200.00.00.05
• H2OOAE before version 200.00.00.02
• H2OSDE before version 200.00.00.07
• H2OUVE before version 200.00.02.02
• H2OPCM before version 100.00.06.00
• H2OELV before version 100.00.02.08

• Insyde Software has released new version of software tools to hardware manufacturers to mitigate this potential vulnerability.
• Insyde Software recommends that users contact hardware manufacturers to get updated version of BIOS flash package.

 

Insyde would like to thank Mickey Shkatov and Jesse Michael from Eclypsium for reporting this issue and working with us on coordinated disclosure.