Insyde's Security Pledge

Recent Security Advisories

INSYDE-SA-2024001

Product

CVSS Score

Original Date

Last Revised

InsydeH2O

7.4

2024-05-13

Summary

SMM memory corruption vulnerability could lead to escalating privileges in SMM. (CWE-822)

Vulnerability Details

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L

CVE-2024-25078:
CVSS: 7.4
CVSS Vector String: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L
StorageSecurityCommandDxe: SMM memory corruption vulnerability could lead to escalating privileges in SMM.

CVE-2024-25079:
CVSS: 7.4
CVSS Vector String: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L
HddPassword: SMM memory corruption vulnerability could lead to escalating privileges to SMM.

CVE-2024-27353:
CVSS: 7.4
CVSS Vector String: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L
SdHost / SdMmcDevice: SMM memory corruption vulnerability could lead to escalating privileges in SMM.

Solution Information

CVE-2024-25078
kernel 5.2: Version in 05.29.07
kernel 5.3: Version in 05.38.07
kernel 5.4: Version in 05.46.07
kernel 5.5: Version in 05.54.07
kernel 5.6: Version in 05.61.07

CVE-2024-25079, CVE-2024-27353
kernel 5.2: Version in 05.29.09
kernel 5.3: Version in 05.38.09
kernel 5.4: Version in 05.46.09
kernel 5.5: Version in 05.54.09
kernel 5.6: Version in 05.61.09

Acknowledgements

Thanks to the BINARLY efiXplorer team, 3rd party researchers, for reporting the vulnerability and engaging in this coordinated disclosure. (CVE-2024-25078 & CVE-2024-25079)

Revision History

Revision #

Date

Description

2024-05-13

Initial Release

< Back to Security Pledge