CVE-2022-35897

An stack buffer overflow vulnerability leads to arbitrary code execution issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. If the attacker modifies specific UEFI variables, it can cause a stack overflow, leading to arbitrary code execution. The specific variables are normally locked (read-only) at the OS level and therefore an attack would require direct SPI modification. If an attacker can change the values of at least two variables out of three (SecureBootEnforce, SecureBoot, RestoreBootSettings), it is possible to execute arbitrary code.

CVSS v3 6.8 MEDIUM

6.8^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.9 / Impact : 5.9

Attack Vector PHYSICAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.insyde.com/security-pledge	Vendor Advisory
https://www.insyde.com/security-pledge/SA-2022041	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:o:insyde:kernel:*:*:*:*:*:*:*:*

History

30 Nov 2022, 18:49

Type	Values Removed	Values Added
References	~~(MISC) https://www.insyde.com/security-pledge -~~	(MISC) https://www.insyde.com/security-pledge - Vendor Advisory
References	~~(MISC) https://www.insyde.com/security-pledge/SA-2022041 -~~	(MISC) https://www.insyde.com/security-pledge/SA-2022041 - Vendor Advisory
First Time		Insyde kernel Insyde
CWE		CWE-787
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.8
CPE		cpe:2.3:o:insyde:kernel::::::::

21 Nov 2022, 18:29

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-11-21 17:15

Updated : 2023-12-10 14:48

NVD link : CVE-2022-35897

Mitre link : CVE-2022-35897

CVE.ORG link : CVE-2022-35897

JSON object : View

Products Affected

insyde

kernel

CWE

CWE-787

Out-of-bounds Write

{"id": "CVE-2022-35897", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.9}]}, "published": "2022-11-21T17:15:25.280", "references": [{"url": "https://www.insyde.com/security-pledge", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.insyde.com/security-pledge/SA-2022041", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "An stack buffer overflow vulnerability leads to arbitrary code execution issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. If the attacker modifies specific UEFI variables, it can cause a stack overflow, leading to arbitrary code execution. The specific variables are normally locked (read-only) at the OS level and therefore an attack would require direct SPI modification. If an attacker can change the values of at least two variables out of three (SecureBootEnforce, SecureBoot, RestoreBootSettings), it is possible to execute arbitrary code."}, {"lang": "es", "value": "Se descubri\u00f3 una vulnerabilidad de desbordamiento del b\u00fafer que provoca un problema de ejecuci\u00f3n de c\u00f3digo arbitrario en Insyde InsydeH2O con kernel 5.0 a 5.5. Si el atacante modifica variables UEFI espec\u00edficas, puede provocar un desbordamiento de la pila, lo que lleva a la ejecuci\u00f3n de c\u00f3digo arbitrario. Las variables espec\u00edficas normalmente est\u00e1n bloqueadas (de solo lectura) a nivel del sistema operativo y, por lo tanto, un ataque requerir\u00eda una modificaci\u00f3n directa del SPI. Si un atacante puede cambiar los valores de al menos dos variables de tres (SecureBootEnforce, SecureBoot, RestoreBootSettings), es posible ejecutar c\u00f3digo arbitrario."}], "lastModified": "2022-11-30T18:49:41.047", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:insyde:kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DC5100FC-51F0-48D6-A4F0-782F1281DBF3", "versionEndIncluding": "5.5", "versionStartIncluding": "5.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}