Headline
CVE-2023-27373: Insyde Security Advisory 2023035 | Insyde Software
An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. Due to insufficient input validation, an attacker can tamper with a runtime-accessible EFI variable to cause a dynamic BAR setting to overlap SMRAM.
Insyde ID
Advisory Category
Impact of Vulnerability
Severity Rating
Original Date
Last Revised
INSYDE-SA-2023035
Software
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:L
6.4
05/05/2023
05/05/2023
****Summary:****
Insufficient TSEG Overlap Checks.
****Vulnerability Details****
CVE-2023-27373
Due to insufficient input validation, an attacker can tamper with a runtime-accessible EFI variable to cause a dynamic BAR setting to overlap SMRAM.
Intel Mobile Platforms:
RapterLake: Version 05.45.02.0028
AlderLake-N: Version 05.44.45.0015
AlderLake: Version 05.44.34.0053
RocketLake: Version 05.42.52.0027
TigerLake: Version 05.43.12.0057
JasperLake: Version 05.43.01.0026
****Acknowledgements****
Insyde Software would like to thank Jeremy Boone (@uffeux) of the NCC Group for reporting the vulnerability and engaging in this coordinated disclosure.
****Revision History:****
Revision
Date
Description
1.0
05/05/2023
Initial Release
–
–
–
Return to Insyde’s Security Pledge