CVE-2022-30283

{"id": "CVE-2022-30283", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 0.8}]}, "published": "2022-11-15T21:15:36.810", "references": [{"url": "https://www.insyde.com/security-pledge", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.insyde.com/security-pledge/SA-2022063", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-367"}]}], "descriptions": [{"lang": "en", "value": "In UsbCoreDxe, tampering with the contents of the USB working buffer using DMA while certain USB transactions are in process leads to a TOCTOU problem that could be used by an attacker to cause SMRAM corruption and escalation of privileges The UsbCoreDxe module creates a working buffer for USB transactions outside of SMRAM. The code which uses can be inside of SMM, making the working buffer untrusted input. The buffer can be corrupted by DMA transfers. The SMM code code attempts to sanitize pointers to ensure all pointers refer to the working buffer, but when a pointer is not found in the list of pointers to sanitize, the current action is not aborted, leading to undefined behavior. This issue was discovered by Insyde engineering based on the general description provided by Intel's iSTARE group. Fixed in: Kernel 5.0: Version 05.09. 21 Kernel 5.1: Version 05.17.21 Kernel 5.2: Version 05.27.21 Kernel 5.3: Version 05.36.21 Kernel 5.4: Version 05.44.21 Kernel 5.5: Version 05.52.21 https://www.insyde.com/security-pledge/SA-2022063"}, {"lang": "es", "value": "En UsbCoreDxe, la manipulaci\u00f3n del contenido del b\u00fafer de trabajo USB usando DMA mientras ciertas transacciones USB est\u00e1n en proceso conduce a un problema TOCTOU que podr\u00eda ser utilizado por un atacante para causar corrupci\u00f3n SMRAM y escalada de privilegios. El m\u00f3dulo UsbCoreDxe crea un b\u00fafer de trabajo para transacciones USB fuera de SMRAM. El c\u00f3digo que se utiliza puede estar dentro de SMM, lo que hace que el b\u00fafer de trabajo sea una entrada no confiable. El b\u00fafer puede resultar da\u00f1ado por las transferencias DMA. El c\u00f3digo SMM intenta sanitizar los punteros para garantizar que todos los punteros se refieran al b\u00fafer de trabajo, pero cuando no se encuentra un puntero en la lista de punteros para sanitizar la acci\u00f3n actual no se cancela, lo que genera un comportamiento indefinido. Este problema fue descubierto por ingenier\u00eda de Insyde bas\u00e1ndose en la descripci\u00f3n general proporcionada por el grupo iSTARE de Intel. Corregido en: Kernel 5.0: Versi\u00f3n 05.09. 21 Kernel 5.1: Versi\u00f3n 05.17.21 Kernel 5.2: Versi\u00f3n 05.27.21 Kernel 5.3: Versi\u00f3n 05.36.21 Kernel 5.4: Versi\u00f3n 05.44.21 Kernel 5.5: Versi\u00f3n 05.52.21 \nhttps://www.insyde.com/security-pledge/SA-2022063"}], "lastModified": "2022-11-23T16:33:52.647", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:insyde:kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8F771B7F-6A86-4EF3-9AD4-22A7A9679BDE", "versionEndExcluding": "5.0.05.09.21", "versionStartIncluding": "5.0"}, {"criteria": "cpe:2.3:o:insyde:kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6606DD2A-0C65-4D84-B301-313850F7A631", "versionEndExcluding": "5.1.05.17.21", "versionStartIncluding": "5.1"}, {"criteria": "cpe:2.3:o:insyde:kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B66937EE-AE21-45AD-8FE1-2580A5CD23B1", "versionEndExcluding": "5.2.05.27.21", "versionStartIncluding": "5.2"}, {"criteria": "cpe:2.3:o:insyde:kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "23089DD9-DF12-4732-B201-D1EBDBB1D53A", "versionEndExcluding": "5.3.05.36.21", "versionStartIncluding": "5.3"}, {"criteria": "cpe:2.3:o:insyde:kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4996E78F-CF7A-49A7-86D8-99904B50CBE2", "versionEndExcluding": "5.4.05.44.21", "versionStartIncluding": "5.4"}, {"criteria": "cpe:2.3:o:insyde:kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7DF5BB25-36A1-49C2-8AFB-A78E18A322ED", "versionEndExcluding": "5.5.05.52.21", "versionStartIncluding": "5.5"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}