CVE-2022-35408

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. An SMM callout vulnerability in the SMM driver in UsbLegacyControlSmm leads to possible arbitrary code execution in SMM and escalation of privileges. An attacker could overwrite the function pointers in the EFI_BOOT_SERVICES table before the USB SMI handler triggers. (This is not exploitable from code running in the operating system.)

CVSS v3 8.2 HIGH

8.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.5 / Impact : 6.0

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://binarly.io/advisories/BRLY-2022-022/index.html	Exploit Third Party Advisory
https://www.insyde.com/security-pledge	Vendor Advisory
https://www.insyde.com/security-pledge/SA-2022031	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:insyde:insydeh2o:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:insyde:insydeh2o:*:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:a:insyde:insydeh2o:*:*:*:*:*:*:*:*

Configuration 4 (hide)

cpe:2.3:a:insyde:insydeh2o:*:*:*:*:*:*:*:*

Configuration 5 (hide)

cpe:2.3:a:insyde:insydeh2o:*:*:*:*:*:*:*:*

Configuration 6 (hide)

cpe:2.3:a:insyde:insydeh2o:*:*:*:*:*:*:*:*

History

23 Sep 2022, 19:03

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.2
CPE		cpe:2.3:a:insyde:insydeh2o::::::::
CWE		NVD-CWE-noinfo
First Time		Insyde insydeh2o Insyde
References	~~(MISC) https://binarly.io/advisories/BRLY-2022-022/index.html -~~	(MISC) https://binarly.io/advisories/BRLY-2022-022/index.html - Exploit, Third Party Advisory
References	~~(MISC) https://www.insyde.com/security-pledge/SA-2022031 -~~	(MISC) https://www.insyde.com/security-pledge/SA-2022031 - Vendor Advisory
References	~~(MISC) https://www.insyde.com/security-pledge -~~	(MISC) https://www.insyde.com/security-pledge - Vendor Advisory

22 Sep 2022, 16:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-09-22 16:15

Updated : 2023-12-10 14:35

NVD link : CVE-2022-35408

Mitre link : CVE-2022-35408

CVE.ORG link : CVE-2022-35408

JSON object : View

Products Affected

insyde

insydeh2o

CWE

NVD-CWE-noinfo

{"id": "CVE-2022-35408", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.5}]}, "published": "2022-09-22T16:15:09.607", "references": [{"url": "https://binarly.io/advisories/BRLY-2022-022/index.html", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.insyde.com/security-pledge", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.insyde.com/security-pledge/SA-2022031", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. An SMM callout vulnerability in the SMM driver in UsbLegacyControlSmm leads to possible arbitrary code execution in SMM and escalation of privileges. An attacker could overwrite the function pointers in the EFI_BOOT_SERVICES table before the USB SMI handler triggers. (This is not exploitable from code running in the operating system.)"}, {"lang": "es", "value": "Se ha detectado un problema en InsydeH2O con el kernel versiones 5.0 hasta 5.5. Una vulnerabilidad de llamada de SMM en el controlador de SMM en UsbLegacyControlSmm conlleva a una posible ejecuci\u00f3n de c\u00f3digo arbitrario en SMM y una escalada de privilegios. Un atacante podr\u00eda sobrescribir los punteros de las funciones en la tabla EFI_BOOT_SERVICES antes de que sea desencadenado el manejador USB SMI. (Esto no es explotable desde el c\u00f3digo que es ejecutado en el sistema operativo)"}], "lastModified": "2022-09-23T19:03:53.900", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:insyde:insydeh2o:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "87B612AD-AE25-4629-BE89-0904758E8AD9", "versionEndExcluding": "5.17.38", "versionStartIncluding": "5.1"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:insyde:insydeh2o:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A349ED7A-EA27-47B2-87CD-998519DC5F20", "versionEndExcluding": "05.27.28", "versionStartIncluding": "5.2"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:insyde:insydeh2o:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "86B775B3-CECB-4A8C-A0E4-731F593B27FF", "versionEndExcluding": "05.36.28", "versionStartIncluding": "5.3"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:insyde:insydeh2o:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3807A85F-99DE-43C6-8B71-21CCFA20CA9D", "versionEndExcluding": "05.44.28", "versionStartIncluding": "5.4"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:insyde:insydeh2o:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E2370FE6-C1BB-4F61-8BE6-898A8964C61D", "versionEndExcluding": "05.52.28", "versionStartIncluding": "5.5"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:insyde:insydeh2o:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "65BF9975-8417-4C96-92C7-7A9863AF7E0A", "versionEndExcluding": "05.09.38", "versionStartIncluding": "5.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}