Insyde's Security Pledge

Recent Security Advisories

INSYDE-SA-2022037

Product

CVSS Score

Original Date

Last Revised

InsydeH2O

8.2

2022-09-30

Summary

Signed third party UEFI bootloaders are vulnerable to Secure Boot bypass.

Vulnerability Details

CVSS Vector: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

VU#309662
New Horizon Datasys Inc (CVE-2022-34302)
UEFI Shell execution to bypass Secure Boot
CryptoPro Secure Disk (CVE-2022-34301)
Eurosoft (UK) Ltd (CVE-2022-34303)

A security feature bypass vulnerability exists in signed 3rd party UEFI bootloaders that allows bypass of the UEFI Secure Boot feature. An attacker who successfully exploits this vulnerability can bypass the UEFI Secure Boot feature and execute unsigned code during the boot process.

Solution Information

These boot loaders are blocked from execution in InsydeH2O, versions:
kernel 5.0, unknown (End of Support)
kernel 5.1, unknown (End of Support)
kernel 5.2, version 05.27.34
kernel 5.3, version 05.36.34
kernel 5.4, version 05.44.34
kernel 5.5, version 05.52.34

Acknowledgements

This issue was reported to Microsoft by Eclypsium.

Revision History

Revision #

Date

Description

2022-09-30

Initial Release

< Back to Security Pledge