PT-2024-28644 · Insyde · Insyde Ihisi
Published
2024-11-14
·
Updated
2024-12-20
·
CVE-2024-39707
CVSS v3.1
5.3
Medium
| Vector | AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Insyde IHISI versions prior to kernel 5.2 version 05.29.19
Insyde IHISI versions prior to kernel 5.3 version 05.38.19
Insyde IHISI versions prior to kernel 5.4 version 05.46.19
Insyde IHISI versions prior to kernel 5.5 version 05.54.19
Insyde IHISI versions prior to kernel 5.6 version 05.61.19
Description
The Insyde IHISI function 0x49 can restore factory defaults for certain UEFI variables without further authentication by default, which could lead to a possible roll-back attack in certain platforms.
Recommendations
For versions prior to kernel 5.2 version 05.29.19, update to kernel 5.2 version 05.29.19 or later.
For versions prior to kernel 5.3 version 05.38.19, update to kernel 5.3 version 05.38.19 or later.
For versions prior to kernel 5.4 version 05.46.19, update to kernel 5.4 version 05.46.19 or later.
For versions prior to kernel 5.5 version 05.54.19, update to kernel 5.5 version 05.54.19 or later.
For versions prior to kernel 5.6 version 05.61.19, update to kernel 5.6 version 05.61.19 or later.
As a temporary workaround, consider restricting access to the Insyde IHISI function 0x49 until a patch is available.
Fix
Missing Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Insyde Ihisi