CVE-2022-32469

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the PnpSmm shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the firmware block services data to SMRAM before checking it.

CVSS v3 7.0 HIGH

7.0^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.0 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.insyde.com/security-pledge	Vendor Advisory
https://www.insyde.com/security-pledge/SA-2023001	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:insyde:insydeh2o::::::::
	cpe:2.3:a:insyde:insydeh2o::::::::
	cpe:2.3:a:insyde:insydeh2o::::::::
	cpe:2.3:a:insyde:insydeh2o::::::::

History

25 Feb 2023, 03:26

Type	Values Removed	Values Added
CPE		cpe:2.3:a:insyde:insydeh2o::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.0
First Time		Insyde insydeh2o Insyde
References	~~(MISC) https://www.insyde.com/security-pledge/SA-2023001 -~~	(MISC) https://www.insyde.com/security-pledge/SA-2023001 - Vendor Advisory
References	~~(MISC) https://www.insyde.com/security-pledge -~~	(MISC) https://www.insyde.com/security-pledge - Vendor Advisory
CWE		CWE-367

15 Feb 2023, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-02-15 14:15

Updated : 2023-12-10 14:48

NVD link : CVE-2022-32469

Mitre link : CVE-2022-32469

CVE.ORG link : CVE-2022-32469

JSON object : View

Products Affected

insyde

insydeh2o

CWE

CWE-367

Time-of-check Time-of-use (TOCTOU) Race Condition

{"id": "CVE-2022-32469", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.0, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.0}]}, "published": "2023-02-15T14:15:11.870", "references": [{"url": "https://www.insyde.com/security-pledge", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.insyde.com/security-pledge/SA-2023001", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-367"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the PnpSmm shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the firmware block services data to SMRAM before checking it."}], "lastModified": "2023-02-25T03:26:50.503", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:insyde:insydeh2o:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D6C3C426-2AC3-4262-8D21-DCB1E917982A", "versionEndExcluding": "5.2.05.27.27", "versionStartIncluding": "5.0"}, {"criteria": "cpe:2.3:a:insyde:insydeh2o:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BDA39709-236A-4508-BCD7-5A73BC9C4755", "versionEndExcluding": "5.3.05.36.27", "versionStartIncluding": "5.3"}, {"criteria": "cpe:2.3:a:insyde:insydeh2o:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F3205474-FF44-4F1B-BA6D-5572F4C76096", "versionEndExcluding": "5.4.05.44.27", "versionStartIncluding": "5.4"}, {"criteria": "cpe:2.3:a:insyde:insydeh2o:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DBCE8A4F-8DD2-46E4-BCFA-ACDB1CFD555E", "versionEndExcluding": "5.5.05.52.27", "versionStartIncluding": "5.5"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}