PT-2022-21898 · Insyde · Insydeh2O Uefi Firmware
Published
2022-11-14
·
Updated
2023-02-14
·
CVE-2022-33906
CVSS v3.1
6.4
Medium
| Vector | AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
InsydeH2O UEFI firmware kernel versions prior to 5.2: 05.27.23
InsydeH2O UEFI firmware kernel versions prior to 5.3: 05.36.23
InsydeH2O UEFI firmware kernel versions prior to 5.4: 05.44.23
InsydeH2O UEFI firmware kernel versions prior to 5.5: 05.52.23
Description
The issue arises from DMA transactions targeting input buffers used by the FwBlockServiceSmm software SMI handler, potentially causing SMRAM corruption through a Time-of-Check-to-Time-of-Use (TOCTOU) attack. This was discovered by Insyde engineering based on a description from Intel's iSTARE group.
Recommendations
For kernel version 5.2, update to version 05.27.23 or later.
For kernel version 5.3, update to version 05.36.23 or later.
For kernel version 5.4, update to version 05.44.23 or later.
For kernel version 5.5, update to version 05.52.23 or later.
Fix
Time Of Check To Time Of Use
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Insydeh2O Uefi Firmware