Vulnerability identifier: #VU82610

Vulnerability risk: Low

CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-39281

CWE-ID: CWE-121

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Mehlow
Mobile applications / Mobile firmware & hardware
Mehlow-R(CFL-S)
Mobile applications / Mobile firmware & hardware
Tatlow (RKS)
Mobile applications / Mobile firmware & hardware
Raptor Lake
Mobile applications / Mobile firmware & hardware
Alder Lake N
Mobile applications / Mobile firmware & hardware
Alder Lake
Mobile applications / Mobile firmware & hardware
Phoenix FP7_FP8 / Hawk Point 5.5
Mobile applications / Mobile firmware & hardware
Dragon Range
Mobile applications / Mobile firmware & hardware
Mendocino
Mobile applications / Mobile firmware & hardware
Raphael
Mobile applications / Mobile firmware & hardware
Rembrandt
Mobile applications / Mobile firmware & hardware
VanGogh
Mobile applications / Mobile firmware & hardware
Barcelo
Mobile applications / Mobile firmware & hardware
Cezanne
Mobile applications / Mobile firmware & hardware
Lucienne
Mobile applications / Mobile firmware & hardware

Vendor: Insyde Software

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error in AsfSecureBootDxe. A local user can trigger a stack-based buffer overflow and execute arbitrary code during DXE phase during DXE phase.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Mehlow: All versions

Mehlow-R(CFL-S): All versions

Tatlow (RKS): All versions

---

External links
http://www.insyde.com/security-pledge/SA-2023054

---

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.