CVE-2019-12532: Security Advisory | Insyde Software

Insyde ID

Advisory Category

Impact of Vulnerability

Severity Rating

Original Date

Last Revised

INSYDE-SA-2019001

Software

Escalation of Privilege, Information Disclosure

MEDIUM

08/12/2019

09/04/2019

****Summary:****

A potential security vulnerability in the Insyde software tools may allow escalation of privilege, or information disclosure. Insyde is releasing software updates to mitigate this potential vulnerability.

****Vulnerability Details****

CVEID: CVE-2019-12532

Description: Improper access control in the Insyde software tools may allow an authenticated user to potentially enable escalation of privilege, or information disclosure via local access. This is a software vulnerability, not a BIOS issue.

CVSS Base Score: 6.9 Medium

CVSS Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C/CR:L

****Affected Insyde Tools:****

• H2OFFT version 3.02~5.28, 100.00.00.00~100.00.08.23, 200.00.00.01~200.00.00.05
• H2OOAE before version 200.00.00.02
• H2OSDE before version 200.00.00.07
• H2OUVE before version 200.00.02.02
• H2OPCM before version 100.00.06.00
• H2OELV before version 100.00.02.08

****Recommendations:****

• Insyde Software has released new version of software tools to hardware manufacturers to mitigate this potential vulnerability.
• Insyde Software recommends that users contact hardware manufacturers to get updated version of BIOS flash package.

****Acknowledgements:****

Insyde would like to thank Mickey Shkatov and Jesse Michael from Eclypsium for reporting this issue and working with us on coordinated disclosure.

****Revision History:****

Revision

Date

Description

1.0

12-August-2019

Initial Release

1.1

04-September-2019

Update Tool Release Status

Return to Insyde’s Security Pledge