Vulnerability Details : CVE-2017-3198
GIGABYTE BRIX UEFI firmware does not cryptographically validate images prior to updating the system firmware. Additionally, the firmware updates are served over HTTP. An attacker can make arbitrary modifications to firmware images without being detected.
Products affected by CVE-2017-3198
- cpe:2.3:o:gigabyte:gb-bsi7h-6500_firmware:f6:*:*:*:*:*:*:*
- cpe:2.3:o:gigabyte:gb-bxi7-5775_firmware:f2:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-3198
1.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 82 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-3198
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
10.0
|
HIGH | AV:N/AC:L/Au:N/C:C/I:C/A:C |
10.0
|
10.0
|
NIST | |
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2017-3198
-
The product does not encrypt sensitive or critical information before storage or transmission.Assigned by: nvd@nist.gov (Primary)
-
The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.Assigned by: cret@cert.org (Secondary)
-
The product does not verify, or incorrectly verifies, the cryptographic signature for data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-3198
-
http://www.securityfocus.com/bid/97294
Multiple GIGABYTE Products VU#507496 Multiple Security Bypass VulnerabilitiesThird Party Advisory;VDB Entry
-
https://www.cylance.com/en_us/blog/gigabyte-brix-systems-vulnerabilities.html
Researchers Disclose Vulnerabilities in GIGABYTE BRIX SystemsExploit;Third Party Advisory
-
https://www.kb.cert.org/vuls/id/507496
VU#507496 - GIGABYTE BRIX UEFI firmware fails to implement write protection and is not cryptographically signedThird Party Advisory;US Government Resource
Jump to