CVE-2021-43615

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2021-43615
An issue was discovered in HddPassword in Insyde InsydeH2O with kernel 5.1 before 05.16.23, 5.2 before 05.26.23, 5.3 before 05.35.23, 5.4 before 05.43.22, and 5.5 before 05.51.22. An SMM memory corruption vulnerability allows an attacker to write fixed or predictable data to SMRAM. Exploiting this issue could lead to escalating privileges to SMM.

8.2 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.5 / Impact : 6.0

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

7.2 /10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:L/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 3.9 / Impact : 10.0

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References
Link Resource
https://cert-portal.siemens.com/productcert/pdf/ssa-306654.pdf Third Party Advisory
https://security.netapp.com/advisory/ntap-20220216-0010/ Third Party Advisory
https://www.insyde.com/security-pledge Vendor Advisory
https://www.insyde.com/security-pledge/SA-2022013 Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:insyde:insydeh2o:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:insyde:insydeh2o:*:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:a:insyde:insydeh2o:*:*:*:*:*:*:*:*
History

29 Mar 2022, 16:05

Type Values Removed Values Added
References (CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-306654.pdf - (CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-306654.pdf - Third Party Advisory
References (CONFIRM) https://security.netapp.com/advisory/ntap-20220216-0010/ - (CONFIRM) https://security.netapp.com/advisory/ntap-20220216-0010/ - Third Party Advisory

24 Feb 2022, 15:15

Type Values Removed Values Added
References
  • (CONFIRM) https://cert-portal.siemens.com/productcert/pdf/ssa-306654.pdf -

17 Feb 2022, 01:15

Type Values Removed Values Added
References
  • (CONFIRM) https://security.netapp.com/advisory/ntap-20220216-0010/ -

09 Feb 2022, 17:50

Type Values Removed Values Added
CWE NVD-CWE-noinfo CWE-787
CVSS v2 : 7.5
v3 : 9.8 		v2 : 7.2
v3 : 8.2
References (MISC) https://www.insyde.com/security-pledge/SA-2022013 - (MISC) https://www.insyde.com/security-pledge/SA-2022013 - Vendor Advisory

09 Feb 2022, 03:15

Type Values Removed Values Added
References
  • (MISC) https://www.insyde.com/security-pledge/SA-2022013 -
Summary SMM callout vulnerability allowing a possible attacker to hijack execution flow of a code running in System Management Mode. Exploiting this issue could lead to escalating privileges to SMM. An issue was discovered in HddPassword in Insyde InsydeH2O with kernel 5.1 before 05.16.23, 5.2 before 05.26.23, 5.3 before 05.35.23, 5.4 before 05.43.22, and 5.5 before 05.51.22. An SMM memory corruption vulnerability allows an attacker to write fixed or predictable data to SMRAM. Exploiting this issue could lead to escalating privileges to SMM.

08 Feb 2022, 16:07

Type Values Removed Values Added
References (MISC) https://www.insyde.com/security-pledge - (MISC) https://www.insyde.com/security-pledge - Vendor Advisory
CWE NVD-CWE-noinfo
First Time Insyde
Insyde insydeh2o
CVSS v2 : unknown
v3 : unknown 		v2 : 7.5
v3 : 9.8
CPE cpe:2.3:a:insyde:insydeh2o:*:*:*:*:*:*:*:*

03 Feb 2022, 02:15

Type Values Removed Values Added
New CVE
Information

Published : 2022-02-03 02:15

Updated : 2023-12-10 14:09

NVD link : CVE-2021-43615

Mitre link : CVE-2021-43615

CVE.ORG link : CVE-2021-43615

JSON object : View

Products Affected

insyde

  • insydeh2o
CWE
CWE-787

Out-of-bounds Write