系微安全保證
Insyde Software Tool Security Advisory
Insyde ID | Advisory Category | Impact of Vulnerability | Severity Rating | Original Date | Last Revised |
INSYDE-SA-2019001 | Software | Escalation of Privilege, Information Disclosure | MEDIUM | 08/12/2019 | 08/12/2019 |
Summary:
A potential security vulnerability in the Insyde software tools may allow escalation of privilege, or information disclosure. Insyde is releasing software updates to mitigate this potential vulnerability.
Vulnerability Details
Description: Improper access control in the Insyde software tools may allow an authenticated user to potentially enable escalation of privilege, or information disclosure via local access. This is a software vulnerability, not a BIOS issue.
CVSS Base Score: 6.9 Medium
CVSS Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C/CR:L
Affected Insyde Tools:
- H2OFFT version 3.02~5.28, 100.00.00.00~100.00.08.23, 200.00.00.01~200.00.00.05
- H2OOAE before version 200.00.00.02
- H2OSDE before version 200.00.00.07
- H2OUVE before version 200.00.02.02
- H2OPCM before version 100.00.06.00
- H2OELV before version 100.00.02.08
Recommendations:
- Insyde Software has released new version of software tools to hardware manufacturers to mitigate this potential vulnerability.
- Insyde Software recommends that users contact hardware manufacturers to get updated version of BIOS flash package.
Acknowledgements:
Insyde would like to thank Mickey Shkatov and Jesse Michael from Eclypsium for reporting this issue and working with us on coordinated disclosure.
Revision History:
Revision | Date | Description |
1.0 | 12-August-2019 | Initial Release |
1.1 | 04-September-2019 | Update Tool Release Status |