CVE-2023-30633

Name of the Vulnerable Software and Affected Versions InsydeH2O versions 5.0 through 5.5

Description The issue is related to errors in security settings of the TrEEConfigDriver in the InsydeH2O framework for creating UEFI firmware. Exploitation of this issue can allow an attacker to hide malicious activity by falsifying TPM PCR values and masking the device with virtual data in the Platform Configuration Register (PCR) registers. This can enable a vulnerable device to masquerade as a healthy device by extending arbitrary values into PCR banks, requiring either physical access to the target device or compromise of user credentials.

Recommendations For versions 5.0 through 5.5, consider disabling the TrEEConfigDriver until a patch is available to prevent the reporting of false TPM PCR values and minimize the risk of malware activity masquerading as legitimate. Restrict access to the Platform Configuration Register (PCR) banks to prevent extension of arbitrary values. At the moment, there is no information about a newer version that contains a fix for this vulnerability.