Vulnerability Details : CVE-2017-3197
Potential exploit
GIGABYTE BRIX UEFI firmware for the GB-BSi7H-6500 (version F6) and GB-BXi7-5775 (version F2) platforms does not securely implement BIOSWE, BLE, SMM_BWP, and PRx features. As a result, the BIOS is not protected from arbitrary write access and may permit modifications to the SPI flash.
Vulnerability category: Input validation
Products affected by CVE-2017-3197
- cpe:2.3:o:gigabyte:gb-bsi7h-6500_firmware:f6:*:*:*:*:*:*:*
- cpe:2.3:o:gigabyte:gb-bxi7-5775_firmware:f2:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-3197
1.00%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 83 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-3197
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
10.0
|
HIGH | AV:N/AC:L/Au:N/C:C/I:C/A:C |
10.0
|
10.0
|
NIST | |
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2017-3197
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
-
The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.Assigned by: cret@cert.org (Secondary)
References for CVE-2017-3197
-
http://www.securityfocus.com/bid/97294
Multiple GIGABYTE Products VU#507496 Multiple Security Bypass VulnerabilitiesThird Party Advisory;VDB Entry
-
https://www.cylance.com/en_us/blog/gigabyte-brix-systems-vulnerabilities.html
Researchers Disclose Vulnerabilities in GIGABYTE BRIX SystemsExploit;Third Party Advisory
-
https://github.com/CylanceVulnResearch/disclosures/blob/master/CLVA-2017-01-001.md
disclosures/CLVA-2017-01-001.md at master · CylanceVulnResearch/disclosures · GitHubExploit;Third Party Advisory
-
https://www.kb.cert.org/vuls/id/507496
VU#507496 - GIGABYTE BRIX UEFI firmware fails to implement write protection and is not cryptographically signedThird Party Advisory;US Government Resource
-
https://github.com/CylanceVulnResearch/disclosures/blob/master/CLVA-2017-01-002.md
disclosures/CLVA-2017-01-002.md at master · CylanceVulnResearch/disclosures · GitHubExploit;Third Party Advisory
Jump to