PT-2022-21899 · Insyde · Insydeh2O Uefi Firmware
Published
2022-11-14
·
Updated
2023-02-14
·
CVE-2022-33907
CVSS v3.1
6.4
Medium
| Vector | AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
InsydeH2O UEFI firmware kernel versions prior to 5.2: 05.27.25
InsydeH2O UEFI firmware kernel versions prior to 5.3: 05.36.25
InsydeH2O UEFI firmware kernel versions prior to 5.4: 05.44.25
Description
DMA transactions targeted at input buffers used for the software SMI handler in the IdeBusDxe driver could cause SMRAM corruption through a Time-of-Check-to-Time-of-Use (TOCTOU) attack. This issue was discovered by Insyde engineering based on a general description provided by Intel's iSTARE group.
Recommendations
For kernel 5.2, update to version 05.27.25 or later.
For kernel 5.3, update to version 05.36.25 or later.
For kernel 5.4, update to version 05.44.25 or later.
Fix
Time Of Check To Time Of Use
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Insydeh2O Uefi Firmware