CVE-2022-29277

15.11.2022, 22:15

Incorrect pointer checks within the the FwBlockServiceSmm driver can allow arbitrary RAM modifications During review of the FwBlockServiceSmm driver, certain instances of SpiAccessLib could be tricked into writing 0xff to arbitrary system and SMRAM addresses. Fixed in: INTEL Purley-R: 05.21.51.0048 Whitley: 05.42.23.0066 Cedar Island: 05.42.11.0021 Eagle Stream: 05.44.25.0052 Greenlow/Greenlow-R(skylake/kabylake): Trunk Mehlow/Mehlow-R (CoffeeLake-S): Trunk Tatlow (RKL-S): Trunk Denverton: 05.10.12.0042 Snow Ridge: Trunk Graneville DE: 05.05.15.0038 Grangeville DE NS: 05.27.26.0023 Bakerville: 05.21.51.0026 Idaville: 05.44.27.0030 Whiskey Lake: Trunk Comet Lake-S: Trunk Tiger Lake H/UP3: 05.43.12.0052 Alder Lake: 05.44.23.0047 Gemini Lake: Not Affected Apollo Lake: Not Affected Elkhart Lake: 05.44.30.0018 AMD ROME: trunk MILAN: 05.36.10.0017 GENOA: 05.52.25.0006 Snowy Owl: Trunk R1000: 05.32.50.0018 R2000: 05.44.30.0005 V2000: Trunk V3000: 05.44.30.0007 Ryzen 5000: 05.44.30.0004 Embedded ROME: Trunk Embedded MILAN: Trunk Hygon Hygon #1/#2: 05.36.26.0016 Hygon #3: 05.44.26.0007 https://www.insyde.com/security-pledge/SA-2022060

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
mitre	CNA	---				---
CVE	ADP	---				---
CISA-ADP	ADP	8.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 19%

Vendor	Product	Version
amd	genoa_firmware	𝑥 < 05.52.25.0006
amd	hygon_1_firmware	𝑥 < 05.36.26.0016
amd	hygon_2_firmware	𝑥 < 05.36.26.0016
amd	hygon_3_firmware	𝑥 < 05.44.26.0007
amd	milan_firmware	𝑥 < 05.36.10.0017
amd	milan_firmware	𝑥 < 05.36.26.0016
amd	rome_firmware	𝑥 < 05.36.10.0017
amd	rome_firmware	𝑥 < 05.36.26.0016
amd	ryzen_5300g_firmware	𝑥 < 05.44.30.0004
amd	ryzen_5300ge_firmware	𝑥 < 05.44.30.0004
amd	ryzen_5600g_firmware	𝑥 < 05.44.30.0004
amd	ryzen_5600ge_firmware	𝑥 < 05.44.30.0004
amd	ryzen_5600x_firmware	𝑥 < 05.44.30.0004
amd	ryzen_5700g_firmware	𝑥 < 05.44.30.0004
amd	ryzen_5700ge_firmware	𝑥 < 05.44.30.0004
amd	ryzen_5800x_firmware	𝑥 < 05.44.30.0004
amd	ryzen_5800x3d_firmware	𝑥 < 05.44.30.0004
amd	ryzen_5900x_firmware	𝑥 < 05.44.30.0004
amd	ryzen_5950x_firmware	𝑥 < 05.44.30.0004
amd	snowy_owl_r1000_firmware	𝑥 < 05.32.50.0018
amd	snowy_owl_r2000_firmware	𝑥 < 05.44.30.0005
amd	snowy_owl_v2000_firmware	𝑥 < 05.44.30.0007
amd	snowy_owl_v3000_firmware	𝑥 < 05.44.30.0007
intel	alder_lake_firmware	𝑥 < 05.44.23.0047
intel	bakerville_firmware	𝑥 < 05.21.51.0026
intel	cedar_island_firmware	𝑥 < 05.42.11.0021
intel	idaville_firmware	𝑥 < 05.43.12.0052
intel	comet_lake-s_firmware	𝑥 < 05.43.12.0052
intel	tiger_lake_h\/up3_firmware	𝑥 < 05.43.12.0052
intel	whiskey_lake_firmware	𝑥 < 05.43.12.0052
intel	denverton_firmware	𝑥 < 05.10.12.0042
intel	eagle_stream_firmware	𝑥 < 05.44.25.0052
intel	grangeville_de_ns_firmware	𝑥 < 05.27.26.0023
intel	granville_de_firmware	𝑥 < 05.05.15.0038
intel	greenlow_firmware	𝑥 < 05.10.12.0042
intel	greenlow-r_firmware	𝑥 < 05.10.12.0042
intel	mehlow_firmware	𝑥 < 05.10.12.0042
intel	mehlow-r_firmware	𝑥 < 05.10.12.0042
intel	tatlow_firmware	𝑥 < 05.10.12.0042
intel	purley-r_firmware	𝑥 < 05.21.51.0048
intel	whitley_firmware	𝑥 < 05.42.23.0066

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-787 - Out-of-bounds Write
The software writes data past the end, or before the beginning, of the intended buffer.

References

https://www.insyde.com/security-pledge

https://www.insyde.com/security-pledge/SA-2022060

https://www.insyde.com/security-pledge

https://www.insyde.com/security-pledge/SA-2022060