Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-22614

An issue was discovered in ChipsetSvcSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. There is insufficient input validation in BIOS Guard updates. An attacker can induce memory corruption in SMM by supplying malformed inputs to the BIOS Guard SMI handler.

Published

2023-04-11T21:15:17.680

Last Modified

2025-02-11T20:15:31.860

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 8.8 (HIGH)

Weaknesses

Type: Primary
CWE-787
Type: Secondary
CWE-787

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	insyde	insydeh2o	05.42.52.0026	Yes
Application	insyde	insydeh2o	05.43.01.0026	Yes
Application	insyde	insydeh2o	05.43.12.0056	Yes
Application	insyde	insydeh2o	05.44.34.0054	Yes
Application	insyde	insydeh2o	05.44.45.0015	Yes
Application	insyde	insydeh2o	05.44.45.0028	Yes

References

https://research.nccgroup.com/2023/04/11/stepping-insyde-system-management-mode/ Exploit, Third Party Advisory ([email protected])
https://www.insyde.com/security-pledge Vendor Advisory ([email protected])
https://www.insyde.com/security-pledge/SA-2023020 Vendor Advisory ([email protected])
https://research.nccgroup.com/2023/04/11/stepping-insyde-system-management-mode/ Exploit, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.insyde.com/security-pledge Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.insyde.com/security-pledge/SA-2023020 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)