CVE-2023-34195

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

An issue was discovered in SystemFirmwareManagementRuntimeDxe in Insyde InsydeH2O with kernel 5.0 through 5.5. The implementation of the GetImage method retrieves the value of a runtime variable named GetImageProgress, and later uses this value as a function pointer. This variable is wiped out by the same module near the end of the function. By setting this UEFI variable from the OS to point into custom code, an attacker could achieve arbitrary code execution in the DXE phase, before several chipset locks are set.

Se descubrió un problema en SystemFirmwareManagementRuntimeDxe en Insyde InsydeH2O con kernel 5.0 a 5.5. La implementación del método GetImage recupera el valor de una variable de tiempo de ejecución denominada GetImageProgress y luego usa este valor como puntero de función. Esta variable es eliminada por el mismo módulo cerca del final de la función. Al configurar esta variable UEFI desde el sistema operativo para que apunte a un código personalizado, un atacante podría lograr la ejecución de código arbitrario en la fase DXE, antes de que se establezcan varios bloqueos de chipset.

*Credits: N/A

CVSS Scores

NISTv3.1 7.8

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2023-05-30 CVE Reserved
2023-09-18 CVE Published
2023-09-19 EPSS Updated
2024-09-25 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-94: Improper Control of Generation of Code ('Code Injection')

CAPEC

References (2)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://www.insyde.com/security-pledge	2023-09-21
https://www.insyde.com/security-pledge/SA-2023052	2023-09-21

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Insyde Search vendor "Insyde"		Insydeh2o Search vendor "Insyde" for product "Insydeh2o"				>= 5.2 < 5.2.05.28.22 Search vendor "Insyde" for product "Insydeh2o" and version " >= 5.2 < 5.2.05.28.22"		-		Affected
Insyde Search vendor "Insyde"		Insydeh2o Search vendor "Insyde" for product "Insydeh2o"				>= 5.3 < 5.3.05.37.22 Search vendor "Insyde" for product "Insydeh2o" and version " >= 5.3 < 5.3.05.37.22"		-		Affected
Insyde Search vendor "Insyde"		Insydeh2o Search vendor "Insyde" for product "Insydeh2o"				>= 5.4 < 5.4.05.45.22 Search vendor "Insyde" for product "Insydeh2o" and version " >= 5.4 < 5.4.05.45.22"		-		Affected
Insyde Search vendor "Insyde"		Insydeh2o Search vendor "Insyde" for product "Insydeh2o"				>= 5.5 < 5.5.05.53.22 Search vendor "Insyde" for product "Insydeh2o" and version " >= 5.5 < 5.5.05.53.22"		-		Affected
Insyde Search vendor "Insyde"		Insydeh2o Search vendor "Insyde" for product "Insydeh2o"				>= 5.6 < 5.6.05.60.22 Search vendor "Insyde" for product "Insydeh2o" and version " >= 5.6 < 5.6.05.60.22"		-		Affected