Insyde Software Tool Security Advisory

Insyde ID Advisory Category Impact of Vulnerability Severity Rating Original Date Last Revised
INSYDE-SA-2019001 Software Escalation of Privilege, Information Disclosure MEDIUM 08/12/2019 08/12/2019

Summary:

A potential security vulnerability in the Insyde software tools may allow escalation of privilege, or information disclosure. Insyde is releasing software updates to mitigate this potential vulnerability.

Vulnerability Details

CVEID: CVE-2019-12532

Description: Improper access control in the Insyde software tools may allow an authenticated user to potentially enable escalation of privilege, or information disclosure via local access. This is a software vulnerability, not a BIOS issue.

CVSS Base Score: 6.9 Medium

CVSS Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C/CR:L

Affected Insyde Tools:

  • H2OFFT version 3.02~5.28, 100.00.00.00~100.00.08.23, 200.00.00.01~200.00.00.05
  • H2OOAE before version 200.00.00.02
  • H2OSDE before version 200.00.00.07
  • H2OUVE before version 200.00.02.02
  • H2OPCM before version 100.00.06.00
  • H2OELV before version 100.00.02.08

Recommendations:

  • Insyde Software has released new version of software tools to hardware manufacturers to mitigate this potential vulnerability.
  • Insyde Software recommends that users contact hardware manufacturers to get updated version of BIOS flash package.

Acknowledgements:

Insyde would like to thank Mickey Shkatov and Jesse Michael from Eclypsium for reporting this issue and working with us on coordinated disclosure.

Revision History:

Revision Date Description
1.0 12-August-2019 Initial Release
1.1 04-September-2019 Update Tool Release Status

Return to Insyde's Security Pledge