Headline
CVE-2019-12532: Security Advisory | Insyde Software
Improper access control in the Insyde software tools may allow an authenticated user to potentially enable escalation of privilege, or information disclosure via local access. This is a software vulnerability, not a firmware issue. Affected tools include: H2OFFT version 3.02~5.28, 100.00.00.00~100.00.08.23 and 200.00.00.01~200.00.00.05, H2OOAE before version 200.00.00.02, H2OSDE before version 200.00.00.07, H2OUVE before version 200.00.02.02, H2OPCM before version 100.00.06.00, H2OELV before version 100.00.02.08.
Insyde ID
Advisory Category
Impact of Vulnerability
Severity Rating
Original Date
Last Revised
INSYDE-SA-2019001
Software
Escalation of Privilege, Information Disclosure
MEDIUM
08/12/2019
09/04/2019
****Summary:****
A potential security vulnerability in the Insyde software tools may allow escalation of privilege, or information disclosure. Insyde is releasing software updates to mitigate this potential vulnerability.
****Vulnerability Details****
CVEID: CVE-2019-12532
Description: Improper access control in the Insyde software tools may allow an authenticated user to potentially enable escalation of privilege, or information disclosure via local access. This is a software vulnerability, not a BIOS issue.
CVSS Base Score: 6.9 Medium
CVSS Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C/CR:L
****Affected Insyde Tools:****
- H2OFFT version 3.02~5.28, 100.00.00.00~100.00.08.23, 200.00.00.01~200.00.00.05
- H2OOAE before version 200.00.00.02
- H2OSDE before version 200.00.00.07
- H2OUVE before version 200.00.02.02
- H2OPCM before version 100.00.06.00
- H2OELV before version 100.00.02.08
****Recommendations:****
- Insyde Software has released new version of software tools to hardware manufacturers to mitigate this potential vulnerability.
- Insyde Software recommends that users contact hardware manufacturers to get updated version of BIOS flash package.
****Acknowledgements:****
Insyde would like to thank Mickey Shkatov and Jesse Michael from Eclypsium for reporting this issue and working with us on coordinated disclosure.
****Revision History:****
Revision
Date
Description
1.0
12-August-2019
Initial Release
1.1
04-September-2019
Update Tool Release Status
Return to Insyde’s Security Pledge