Headline
CVE-2023-27471: Insyde Security Advisory 2023036 | Insyde Software
An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. UEFI implementations do not correctly protect and validate information contained in the ‘MeSetup’ UEFI variable. On some systems, this variable can be overwritten using operating system APIs. Exploitation of this vulnerability could potentially lead to denial of service for the platform.
Insyde ID
Advisory Category
Impact of Vulnerability
Severity Rating
Original Date
Last Revised
INSYDE-SA-2023036
Software
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
4.1
08/08/2023
08/08/2023
****Summary:****
MeSetup UEFI variable may be overwritten and causes DOS attacks.
****Vulnerability Details:****
CVE-2023-27471
UEFI implementations do not correctly protect and validate information contained in the ‘MeSetup’ UEFI variable. On some systems, this variable can be overwritten using operating system APIs. Exploitation of this vulnerability could potentially lead to denial of service for the platform.
Solution Information:
Intel Mobile Platforms:
Raptor Lake: Version 05.45.11.0033
Raptor Lake: Version 05.45.11.0033
Alder Lake-N: Version 05.44.45.0016
Alder Lake: Version 05.44.34.0055
Rocket Lake: Version 05.42.52.0028
Tiger Lake: Version 05.43.12.0057
Intel Server/Embedded Platforms:
ElkhartLake: Version 05.45.07.0020
Alder Lake-N: Version 05.45.07.0003
AMD Platforms: Unaffected.
****Acknowledgements:****
Thanks to Sung-Min Kim, Jae-Min Kim, Chan-Ho Kim, Sang-Hyeon Park and Gwi-Hyeon Yang, 3rd party
researchers, for reporting the vulnerability and engaging in this coordinated disclosure.
****Revision History:****
Revision
Date
Description
1.0
08/08/2023
Initial Release
–
–
–
Return to Insyde’s Security Pledge