PT-2022-21192 · Insyde · Insydeh2O Uefi Firmware
Published
2022-11-14
·
Updated
2022-11-18
·
CVE-2022-32267
CVSS v3.1
6.4
Medium
| Vector | AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
InsydeH2O UEFI firmware versions prior to Kernel 5.2: 05.27.23
InsydeH2O UEFI firmware versions prior to Kernel 5.3: 05.36.23
InsydeH2O UEFI firmware versions prior to Kernel 5.4: 05.44.23
InsydeH2O UEFI firmware versions prior to Kernel 5.5: 05.52.23
Description
The issue is related to DMA transactions targeting input buffers used by the SmmResourceCheckDxe software SMI handler, which can cause SMRAM corruption through a Time-of-Check-to-Time-of-Use (TOCTOU) attack. This was discovered by Insyde engineering.
Recommendations
For InsydeH2O UEFI firmware version prior to Kernel 5.2: 05.27.23, update to Kernel 5.2: 05.27.23 or later.
For InsydeH2O UEFI firmware version prior to Kernel 5.3: 05.36.23, update to Kernel 5.3: 05.36.23 or later.
For InsydeH2O UEFI firmware version prior to Kernel 5.4: 05.44.23, update to Kernel 5.4: 05.44.23 or later.
For InsydeH2O UEFI firmware version prior to Kernel 5.5: 05.52.23, update to Kernel 5.5: 05.52.23 or later.
Fix
Time Of Check To Time Of Use
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Insydeh2O Uefi Firmware