Insyde's Security Pledge

Recent Security Advisories

INSYDE-SA-2023054

Product

CVSS Score

Original Date

Last Revised

InsydeH2O

4.1

2023-10-31

Summary

AsfSecureBootDxe: Stack buffer overflow vulnerability leading to arbitrary code execution during DXE phase.

Vulnerability Details

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N

CVE-2023-39281
BRLY-2023-002

Stack buffer overflow vulnerability that allows an attacker to execute arbitrary code.

Solution Information

Intel Mobile Platforms
Raptor Lake: Version 05.45.24.0039
Alder Lake N: Version 05.44.45.0017
Alder Lake: Version 05.44.34.0055

AMD Mobile Platforms
Phoenix FP7_FP8 / Hawk Point 5.5: Version 05.53.28.0013
Dragon Range: Version 05.53.23.0011
Mendocino: Version 05.53.23.0014
Raphael: Version 05.53.22.0008
Rembrandt: Version: 05.44.30.0022
VanGogh: Tag 05.43.06.0021
Barcelo/Cezanne/Lucienne: Version 05.42.37.0031

Intel Embedded/Server Platforms
Mehlow/Mehlow-R(CFL-S): Trunk
Tatlow (RKS): Trunk
TigerLake UP3/H: Trunk
AlderLake: Trunk
Raptor Lake: Trunk
Alder Lake N: Version 05.45.38.0005

Acknowledgements

Thanks to the BINARLY efiXplorer team, 3rd party researchers, for reporting the vulnerability and engaging in this coordinated disclosure.

Revision History

Revision #

Date

Description

2023-10-31

Initial Release

< Back to Security Pledge