CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2023-27373
https://notcve.org/view.php?id=CVE-2023-27373
07 Aug 2023 — An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. Due to insufficient input validation, an attacker can tamper with a runtime-accessible EFI variable to cause a dynamic BAR setting to overlap SMRAM. Se descubrió un problema en Insyde InsydeH2O con los kernels 5.0 a 5.5. Debido a una validación de entrada insuficiente, un atacante puede alterar una variable EFI accesible en tiempo de ejecución para provocar que una configuración de BAR dinámica se superponga a SMRAM. • https://www.insyde.com/security-pledge/SA-2023035 • CWE-20: Improper Input Validation •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-24350
https://notcve.org/view.php?id=CVE-2022-24350
12 Apr 2023 — An issue was discovered in IhisiSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. IHISI function 0x17 verifies that the output buffer lies within the command buffer but does not verify that output data does not go beyond the end of the command buffer. In particular, the GetFlashTable function is called directly on the Command Buffer before the DataSize is check, leading to possible circumstances where the data immediately following the command buffer could be destroyed before returning a buffer size erro... • https://www.insyde.com/security-pledge • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-22616
https://notcve.org/view.php?id=CVE-2023-22616
12 Apr 2023 — An issue was discovered in Insyde InsydeH2O with kernel 5.2 through 5.5. The Save State register is not checked before use. The IhisiSmm driver does not check the value of a save state register before use. Due to insufficient input validation, an attacker can corrupt SMRAM. • https://research.nccgroup.com/2023/04/11/stepping-insyde-system-management-mode • CWE-610: Externally Controlled Reference to a Resource in Another Sphere •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2023-22612
https://notcve.org/view.php?id=CVE-2023-22612
11 Apr 2023 — An issue was discovered in IhisiSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. A malicious host OS can invoke an Insyde SMI handler with malformed arguments, resulting in memory corruption in SMM. • https://research.nccgroup.com/2023/04/11/stepping-insyde-system-management-mode • CWE-787: Out-of-bounds Write •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-22613
https://notcve.org/view.php?id=CVE-2023-22613
11 Apr 2023 — An issue was discovered in IhisiSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. It is possible to write to an attacker-controlled address. An attacker could invoke an SMI handler with a malformed pointer in RCX that overlaps SMRAM, resulting in SMM memory corruption. • https://research.nccgroup.com/2023/04/11/stepping-insyde-system-management-mode • CWE-787: Out-of-bounds Write •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 1CVE-2023-22614
https://notcve.org/view.php?id=CVE-2023-22614
11 Apr 2023 — An issue was discovered in ChipsetSvcSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. There is insufficient input validation in BIOS Guard updates. An attacker can induce memory corruption in SMM by supplying malformed inputs to the BIOS Guard SMI handler. • https://research.nccgroup.com/2023/04/11/stepping-insyde-system-management-mode • CWE-787: Out-of-bounds Write •
CVSS: 8.4EPSS: 0%CPEs: 3EXPL: 0CVE-2023-22615
https://notcve.org/view.php?id=CVE-2023-22615
11 Apr 2023 — An issue was discovered in IhisiSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. IHISI subfunction execution may corrupt SMRAM. An attacker can pass an address in the RCX save state register that overlaps SMRAM, thereby coercing an IHISI subfunction handler to overwrite private SMRAM. • https://www.insyde.com/security-pledge • CWE-787: Out-of-bounds Write •
CVSS: 7.0EPSS: 0%CPEs: 4EXPL: 0CVE-2022-32469
https://notcve.org/view.php?id=CVE-2022-32469
15 Feb 2023 — An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the PnpSmm shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the firmware block services data to SMRAM before checking it. • https://www.insyde.com/security-pledge • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVSS: 7.0EPSS: 0%CPEs: 4EXPL: 0CVE-2022-32470
https://notcve.org/view.php?id=CVE-2022-32470
15 Feb 2023 — An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the FwBlockServiceSmm shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the firmware block services data to SMRAM before checking it. • https://www.insyde.com/security-pledge • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVSS: 7.0EPSS: 0%CPEs: 4EXPL: 0CVE-2022-32471
https://notcve.org/view.php?id=CVE-2022-32471
15 Feb 2023 — An issue was discovered in IhisiSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. The IhisiDxe driver uses the command buffer to pass input and output data. By modifying the command buffer contents with DMA after the input parameters have been checked but before they are used, the IHISI SMM code may be convinced to modify SMRAM or OS, leading to possible data corruption or escalation of privileges. • https://www.insyde.com/security-pledge • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •