Privilege escalation in Insyde software for mobile platforms
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Stack-based buffer overflow
EUVDB-ID: #VU82610
Risk: Low
CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-39281
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error in AsfSecureBootDxe. A local user can trigger a stack-based buffer overflow and execute arbitrary code during DXE phase during DXE phase.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMehlow: All versions
Mehlow-R(CFL-S): All versions
Tatlow (RKS): All versions
Raptor Lake: before 05.45.24.0039
Alder Lake N: before 05.45.38.0005
Alder Lake: before 05.44.34.0055
Phoenix FP7_FP8 / Hawk Point 5.5: before 05.53.28.0013
Dragon Range: before 05.53.23.0011
Mendocino: before 05.53.23.0014
Raphael: before 05.53.22.0008
Rembrandt: before 05.44.30.0022
VanGogh: before 05.43.06.0021
Barcelo: before 05.42.37.0031
Cezanne: before 05.42.37.0031
Lucienne: before 05.42.37.0031
External linkshttp://www.insyde.com/security-pledge/SA-2023054
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
