CVE-2023-39284

Name of the Vulnerable Software and Affected Versions Insyde InsydeH2O versions 5.0 through 5.5

Description An issue was discovered in IhisiServicesSmm where there are arbitrary calls to SetVariable with unsanitized arguments in the SMI handler. This allows for the modification of protected NVRAM variables from Ring0, which usually require higher privileges.

Recommendations For Insyde InsydeH2O versions 5.0 through 5.5, as a temporary workaround, consider restricting access to the SetVariable function in the SMI handler until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.