Vulnerability Details : CVE-2023-22614
An issue was discovered in ChipsetSvcSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. There is insufficient input validation in BIOS Guard updates. An attacker can induce memory corruption in SMM by supplying malformed inputs to the BIOS Guard SMI handler.
Vulnerability category: Memory Corruption
Products affected by CVE-2023-22614
- cpe:2.3:a:insyde:insydeh2o:05.42.52.0026:*:*:*:*:*:*:*
- cpe:2.3:a:insyde:insydeh2o:05.43.01.0026:*:*:*:*:*:*:*
- cpe:2.3:a:insyde:insydeh2o:05.43.12.0056:*:*:*:*:*:*:*
- cpe:2.3:a:insyde:insydeh2o:05.44.34.0054:*:*:*:*:*:*:*
- cpe:2.3:a:insyde:insydeh2o:05.44.45.0015:*:*:*:*:*:*:*
- cpe:2.3:a:insyde:insydeh2o:05.44.45.0028:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-22614
0.08%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 34 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-22614
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
8.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
2.0
|
6.0
|
NIST |
CWE ids for CVE-2023-22614
-
The product writes data past the end, or before the beginning, of the intended buffer.Assigned by: nvd@nist.gov (Primary)
References for CVE-2023-22614
-
https://www.insyde.com/security-pledge
Insyde's Security Pledge | Insyde SoftwareVendor Advisory
-
https://www.insyde.com/security-pledge/SA-2023020
Insyde Security Advisory 2023020 | Insyde SoftwareVendor Advisory
-
https://research.nccgroup.com/2023/04/11/stepping-insyde-system-management-mode/
Stepping Insyde System Management Mode | NCC Group Research Blog | Making the world safer and more secureExploit;Third Party Advisory
Jump to