Headline
CVE-2023-28468: Insyde Security Advisory 2023039 | Insyde Software
An issue was discovered in FvbServicesRuntimeDxe in Insyde InsydeH2O with kernel 5.0 through 5.5. The FvbServicesRuntimeDxe SMM module exposes an SMI handler that allows an attacker to interact with the SPI flash at run-time from the OS.
Insyde ID
Advisory Category
Impact of Vulnerability
Severity Rating
Original Date
Last Revised
INSYDE-SA-2023039
Software
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:L
6.1
07/11/2023
07/11/2023
****Summary:****
FvbServicesRuntimeDxe: Exposes an SMI handler that allows an attacker to interact with the SPI flash.
****Vulnerability Details****
CVE-2023-28468
The FvbServicesRuntimeDxe SMM module exposes an SMI handler that allows an attacker to interact with the SPI flash at run-time from the OS.
Solution Information:
kernel 5.2: Version 05.28.23
kernel 5.3: Version 05.37.23
kernel 5.4: Version 05.45.23
kernel 5.5: Version 05.53.23
****Acknowledgements****
Thanks to 3rd party researchers, Enrique Nissim, Krzysztof Okupski and Joseph Tartaro from IOActive Inc. for reporting the vulnerability and engaging in this coordinated disclosure.
****Revision History:****
Revision
Date
Description
1.0
07/11/2023
Initial Release
–
–
–
Return to Insyde’s Security Pledge