PT-2022-1745 · Insyde · Insydeh2O
Published
2022-02-03
·
Updated
2022-03-08
·
CVE-2021-42554
CVSS v2.0
10
High
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
InsydeH2O versions 5.0 through 5.0 before 05.08.42
InsydeH2O versions 5.1 through 5.1 before 05.16.42
InsydeH2O versions 5.2 through 5.2 before 05.26.42
InsydeH2O versions 5.3 through 5.3 before 05.35.42
InsydeH2O versions 5.4 through 5.4 before 05.42.51
InsydeH2O versions 5.5 through 5.5 before 05.50.51
Description
The issue is related to an SMM memory corruption vulnerability in the FvbServicesRuntimeDxe component of the InsydeH2O UEFI firmware framework. This vulnerability allows a possible attacker to write fixed or predictable data to SMRAM, potentially leading to escalating privileges to SMM. The vulnerability is associated with a buffer overflow in memory.
Recommendations
For InsydeH2O version 5.0 before 05.08.42, update to version 05.08.42 or later.
For InsydeH2O version 5.1 before 05.16.42, update to version 05.16.42 or later.
For InsydeH2O version 5.2 before 05.26.42, update to version 05.26.42 or later.
For InsydeH2O version 5.3 before 05.35.42, update to version 05.35.42 or later.
For InsydeH2O version 5.4 before 05.42.51, update to version 05.42.51 or later.
For InsydeH2O version 5.5 before 05.50.51, update to version 05.50.51 or later.
Fix
Memory Corruption
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Insydeh2O