CVE-2022-32474

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the StorageSecurityCommandDxe shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the firmware block services data to SMRAM before checking it.

CVSS v3 7.0 HIGH

7.0^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.0 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.insyde.com/security-pledge	Vendor Advisory
https://www.insyde.com/security-pledge/SA-2023006	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:insyde:insydeh2o::::::::
	cpe:2.3:a:insyde:insydeh2o::::::::
	cpe:2.3:a:insyde:insydeh2o::::::::
	cpe:2.3:a:insyde:insydeh2o::::::::
	cpe:2.3:a:insyde:insydeh2o::::::::
	cpe:2.3:a:insyde:insydeh2o::::::::

History

23 Feb 2023, 18:18

Type	Values Removed	Values Added
CPE		cpe:2.3:a:insyde:insydeh2o::::::::
CWE		CWE-367
First Time		Insyde insydeh2o Insyde
References	~~(MISC) https://www.insyde.com/security-pledge -~~	(MISC) https://www.insyde.com/security-pledge - Vendor Advisory
References	~~(MISC) https://www.insyde.com/security-pledge/SA-2023006 -~~	(MISC) https://www.insyde.com/security-pledge/SA-2023006 - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.0

15 Feb 2023, 02:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-02-15 02:15

Updated : 2023-12-10 14:48

NVD link : CVE-2022-32474

Mitre link : CVE-2022-32474

CVE.ORG link : CVE-2022-32474

JSON object : View

Products Affected

insyde

insydeh2o

CWE

CWE-367

Time-of-check Time-of-use (TOCTOU) Race Condition

{"id": "CVE-2022-32474", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.0, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.0}]}, "published": "2023-02-15T02:15:09.737", "references": [{"url": "https://www.insyde.com/security-pledge", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.insyde.com/security-pledge/SA-2023006", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-367"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the StorageSecurityCommandDxe shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated using IOMMU protection for the ACPI runtime memory used for the command buffer. This attack can be mitigated by copying the firmware block services data to SMRAM before checking it."}], "lastModified": "2023-02-23T18:18:07.173", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:insyde:insydeh2o:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "35B25166-CFDA-48AB-8D28-A88235C773E0", "versionEndExcluding": "5.0.05.09.42", "versionStartIncluding": "5.0"}, {"criteria": "cpe:2.3:a:insyde:insydeh2o:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0E82F913-8EB3-47C3-99CE-F8BECBBB9A94", "versionEndExcluding": "5.1.05.17.42", "versionStartIncluding": "5.1"}, {"criteria": "cpe:2.3:a:insyde:insydeh2o:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5ACAB668-D295-454A-B418-B499B635A901", "versionEndExcluding": "5.2.05.27.38", "versionStartIncluding": "5.2"}, {"criteria": "cpe:2.3:a:insyde:insydeh2o:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "366BB5C1-680F-4CD3-A3DB-E14EF5928D67", "versionEndExcluding": "5.3.05.36.38", "versionStartIncluding": "5.3"}, {"criteria": "cpe:2.3:a:insyde:insydeh2o:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A5D09C74-8FD5-4505-809A-D1ABCA54ED8B", "versionEndExcluding": "5.4.05.44.38", "versionStartIncluding": "5.4"}, {"criteria": "cpe:2.3:a:insyde:insydeh2o:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6119B555-7F5F-474C-9C8D-0B26C439137A", "versionEndExcluding": "5.5.05.52.38", "versionStartIncluding": "5.5"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}