Headline
CVE-2023-25600: Insyde Security Advisory 2023028 | Insyde Software
An issue was discovered in InsydeH2O. A malicious operating system can tamper with a runtime-writable EFI variable, leading to out-of-bounds memory reads and a denial of service. This is fixed in version 01.01.04.0016.
Insyde ID
Advisory Category
Impact of Vulnerability
Severity Rating
Original Date
Last Revised
INSYDE-SA-2023028
Software
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:L
3.0
05/04/2023
05/04/2023
****Summary:****
OOB Read If “Console Redirection” EFI Variable Is Tampered.
****Vulnerability Details****
CVE-2023-25600
A malicious operating system can tamper with a runtime-writable EFI variable, leading to out-of-bounds memory reads and a denial of service.
InsydeCrPkg : Version 01.01.04.0016
****Acknowledgements****
Insyde Software would like to thank Jeremy Boone (@uffeux) of the NCC Group for reporting the vulnerability and engaging in this coordinated disclosure.
****Revision History:****
Revision
Date
Description
1.0
05/04/2023
Initial Release
–
–
–
Return to Insyde’s Security Pledge