CVE-2021-41839

An issue was discovered in NvmExpressDxe in the kernel 5.0 through 5.5 in Insyde InsydeH2O. Because of an Untrusted Pointer Dereference that causes SMM memory corruption, an attacker may be able to write fixed or predictable data to SMRAM. Exploiting this issue could lead to escalating privileges to SMM.

CVSS v3 8.2 HIGH
CVSS v2.0 4.6 MEDIUM

8.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.5 / Impact : 6.0

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

4.6^/10

CVSS v2.0 : MEDIUM

Vector : AV:L/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 3.9 / Impact : 6.4

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://cert-portal.siemens.com/productcert/pdf/ssa-306654.pdf	Third Party Advisory
https://security.netapp.com/advisory/ntap-20220217-0016/	Third Party Advisory
https://www.insyde.com/security-pledge	Vendor Advisory
https://www.insyde.com/security-pledge/SA-2022020	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:insyde:insydeh2o:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:insyde:insydeh2o:*:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:a:insyde:insydeh2o:*:*:*:*:*:*:*:*

Configuration 4 (hide)

cpe:2.3:a:insyde:insydeh2o:*:*:*:*:*:*:*:*

Configuration 5 (hide)

cpe:2.3:a:insyde:insydeh2o:*:*:*:*:*:*:*:*

History

08 Aug 2023, 14:22

Type	Values Removed	Values Added
CWE	~~CWE-476~~	CWE-119

29 Mar 2022, 16:35

Type	Values Removed	Values Added
References	~~(CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-306654.pdf -~~	(CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-306654.pdf - Third Party Advisory
References	~~(CONFIRM) https://security.netapp.com/advisory/ntap-20220217-0016/ -~~	(CONFIRM) https://security.netapp.com/advisory/ntap-20220217-0016/ - Third Party Advisory

24 Feb 2022, 15:15

Type	Values Removed	Values Added
References		(CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-306654.pdf -

18 Feb 2022, 00:15

Type	Values Removed	Values Added
References		(CONFIRM) https://security.netapp.com/advisory/ntap-20220217-0016/ -

09 Feb 2022, 17:58

Type	Values Removed	Values Added
CWE		CWE-476
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 4.6 v3 : 8.2
References	~~(MISC) https://www.insyde.com/security-pledge -~~	(MISC) https://www.insyde.com/security-pledge - Vendor Advisory
References	~~(MISC) https://www.insyde.com/security-pledge/SA-2022020 -~~	(MISC) https://www.insyde.com/security-pledge/SA-2022020 - Vendor Advisory
First Time		Insyde Insyde insydeh2o
CPE		cpe:2.3:a:insyde:insydeh2o::::::::

09 Feb 2022, 02:15

Type	Values Removed	Values Added
References		(MISC) https://www.insyde.com/security-pledge/SA-2022020 -
Summary	A vulnerability exists in SMM (System Management Mode) branch that registers a SWSMI handler that does not sufficiently check or validate the allocated table variable EFI_BOOT_SERVICES. This can be used by an attacker to overwrite address location of any of the functions (FreePool,LocateHandleBuffer,HandleProtocol) to the address location of arbitrary code controlled by the attacker. On system call to SWSMI handler, the arbitrary code can be triggered to execute.	An issue was discovered in NvmExpressDxe in the kernel 5.0 through 5.5 in Insyde InsydeH2O. Because of an Untrusted Pointer Dereference that causes SMM memory corruption, an attacker may be able to write fixed or predictable data to SMRAM. Exploiting this issue could lead to escalating privileges to SMM.

03 Feb 2022, 02:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-02-03 02:15

Updated : 2023-12-10 14:09

NVD link : CVE-2021-41839

Mitre link : CVE-2021-41839

CVE.ORG link : CVE-2021-41839

JSON object : View

Products Affected

insyde

insydeh2o

CWE

CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer

{"id": "CVE-2021-41839", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.6, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.5}]}, "published": "2022-02-03T02:15:07.123", "references": [{"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-306654.pdf", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://security.netapp.com/advisory/ntap-20220217-0016/", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.insyde.com/security-pledge", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.insyde.com/security-pledge/SA-2022020", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-119"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in NvmExpressDxe in the kernel 5.0 through 5.5 in Insyde InsydeH2O. Because of an Untrusted Pointer Dereference that causes SMM memory corruption, an attacker may be able to write fixed or predictable data to SMRAM. Exploiting this issue could lead to escalating privileges to SMM."}, {"lang": "es", "value": "Se ha descubierto un problema en NvmExpressDxe en el kernel versi\u00f3n 5.0 hasta la versi\u00f3n 5.5 de InsydeH2O. Debido a una desviaci\u00f3n de puntero no fiable que provoca la corrupci\u00f3n de la memoria de SMM, un atacante podr\u00eda ser capaz de escribir datos fijos o predecibles en la SMRAM. La explotaci\u00f3n de este problema podr\u00eda llevar a escalar privilegios a SMM"}], "lastModified": "2023-08-08T14:22:24.967", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:insyde:insydeh2o:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A6D01558-E38E-4A46-94A7-6F43BECA2599", "versionEndExcluding": "5.16.25", "versionStartIncluding": "5.1"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:insyde:insydeh2o:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1E8E5C28-ACA1-46AC-B0C0-958B7805F75A", "versionEndExcluding": "5.26.25", "versionStartIncluding": "5.2"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:insyde:insydeh2o:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6AA45E92-34FA-4583-938D-2139F870034F", "versionEndExcluding": "5.35.25", "versionStartIncluding": "5.3"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:insyde:insydeh2o:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "81782BA4-3BE8-4C12-BBA1-584C7EF98358", "versionEndExcluding": "5.43.25", "versionStartIncluding": "5.4"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:insyde:insydeh2o:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3C233AD0-49AD-451B-8F5E-C807001C5FCF", "versionEndExcluding": "5.51.25", "versionStartIncluding": "5.5"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}