Insyde's Security Pledge

A vulnerability exists in System Management Interrupt (SWSMI) handler of InsydeH2O UEFI Firmware code located in SWSMI handler that dereferences gRT (EFI_RUNTIME_SERVICES) pointer to call a GetVariable service, which is located outside of SMRAM. This can result in code execution in SMM (escalating privilege from ring 0 to ring -2).

CVSS Vector: AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2020-5953

This corresponds to CVE-2020-5953. It affects the driver AsfSecureBootSmm. This issue was discovered by a 3rd party security researcher on a version of InsydeH2O that supported a specific Intel chipset. Insyde engineers subsequently discovered that drivers with the same name on versions of InsydeH2O supporting other Intel chipsets were similarly vulnerable. Prior to disclosure, this issue was independently discovered by the Binarly efiXplorer team.

The fixed versions were as follows (using the Intel code name): Intel Kaby Lake – 05.12.09.0074, Intel Cannon Lake – 05.34.03.0029, Intel Coffee Lake – 05.34.03.0029, Intel Whiskey Lake (on Cannon Lake) – 05.34.03.0029, Intel Whiskey Lake – 05.23.45.0023, Intel Comet Lake – 05.23.04.0045, Intel Comet Lake (Server/Embedded) – 05.34.03.0029, Intel Ice Lake – 05.33.15.0034, Intel Rocket Lake – Unaffected, Intel Tiger Lake – 05.42.03.0010, Intel Alder Lake – Unaffected

Insyde Software would like to thank Binarly for reporting this issue.