CVE-2023-34195

18.09.2023, 13:15

An issue was discovered in SystemFirmwareManagementRuntimeDxe in Insyde InsydeH2O with kernel 5.0 through 5.5. The implementation of the GetImage method retrieves the value of a runtime variable named GetImageProgress, and later uses this value as a function pointer. This variable is wiped out by the same module near the end of the function. By setting this UEFI variable from the OS to point into custom code, an attacker could achieve arbitrary code execution in the DXE phase, before several chipset locks are set.

Code Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
mitre	CNA	---				---
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 27%

Vendor	Product	Version
insyde	insydeh2o	5.2 ≤ 𝑥 < 5.2.05.28.22
insyde	insydeh2o	5.3 ≤ 𝑥 < 5.3.05.37.22
insyde	insydeh2o	5.4 ≤ 𝑥 < 5.4.05.45.22
insyde	insydeh2o	5.5 ≤ 𝑥 < 5.5.05.53.22
insyde	insydeh2o	5.6 ≤ 𝑥 < 5.6.05.60.22

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-94 - Improper Control of Generation of Code ('Code Injection')
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References

https://www.insyde.com/security-pledge

https://www.insyde.com/security-pledge/SA-2023052

https://www.insyde.com/security-pledge

https://www.insyde.com/security-pledge/SA-2023052