Details of VAR-202106-0358

ID

VAR-202106-0358

CVE

CVE-2020-27339

TITLE

InsydeH2O UEFI software impacted by multiple vulnerabilities in SMM

Trust: 0.8

sources: CERT/CC: VU#796611

DESCRIPTION

In the kernel in Insyde InsydeH2O 5.x, certain SMM drivers did not correctly validate the CommBuffer and CommBufferSize parameters, allowing callers to corrupt either the firmware or the OS memory. The fixed versions for this issue in the AhciBusDxe, IdeBusDxe, NvmExpressDxe, SdHostDriverDxe, and SdMmcDeviceDxe drivers are 05.16.25, 05.26.25, 05.35.25, 05.43.25, and 05.51.25 (for Kernel 5.1 through 5.5). The InsydeH2O Hardware-2-Operating System (H2O) UEFI firmware contains multiple vulnerabilities related to memory management in System Management Mode (SMM).Vulnerability Category Count SMM Privilege Escalation 10 SMM Memory Corruption 12 DXE Memory Corruption 1CVE-2020-27339 Affected CVE-2020-5953 Affected CVE-2021-33625 Affected CVE-2021-33626 Affected CVE-2021-33627 Affected CVE-2021-41837 Affected CVE-2021-41838 Affected CVE-2021-41839 Affected CVE-2021-41840 Affected CVE-2021-41841 Affected CVE-2021-42059 Affected CVE-2021-42060 Not Affected CVE-2021-42113 Affected CVE-2021-42554 Affected CVE-2021-43323 Affected CVE-2021-43522 Affected CVE-2021-43615 Not Affected CVE-2021-45969 Not Affected CVE-2021-45970 Not Affected CVE-2021-45971 Not Affected CVE-2022-24030 Not Affected CVE-2022-24031 Not Affected CVE-2022-24069 Not Affected CVE-2022-28806 Unknown. Insyde InsydeH2O Contains a privilege management vulnerability.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state

Trust: 2.34

sources: NVD: CVE-2020-27339 // CERT/CC: VU#796611 // JVNDB: JVNDB-2021-007558

AFFECTED PRODUCTS

vendor:	siemens	model:	simatic ipc377g	scope:	eq	version:	-	Trust: 1.0
vendor:	siemens	model:	simatic itp1000	scope:	eq	version:	-	Trust: 1.0
vendor:	insyde	model:	insydeh2o	scope:	lt	version:	5.25.44	Trust: 1.0
vendor:	insyde	model:	insydeh2o	scope:	gte	version:	5.2	Trust: 1.0
vendor:	siemens	model:	simatic ipc647e	scope:	eq	version:	-	Trust: 1.0
vendor:	insyde	model:	insydeh2o	scope:	lt	version:	5.35.25	Trust: 1.0
vendor:	insyde	model:	insydeh2o	scope:	lt	version:	5.43.25	Trust: 1.0
vendor:	siemens	model:	simatic field pg m6	scope:	eq	version:	-	Trust: 1.0
vendor:	siemens	model:	ruggedcom apr1808	scope:	eq	version:	-	Trust: 1.0
vendor:	siemens	model:	simatic ipc477e	scope:	eq	version:	-	Trust: 1.0
vendor:	insyde	model:	insydeh2o	scope:	gte	version:	5.4	Trust: 1.0
vendor:	siemens	model:	simatic ipc627e	scope:	eq	version:	-	Trust: 1.0
vendor:	siemens	model:	simatic ipc847e	scope:	eq	version:	-	Trust: 1.0
vendor:	siemens	model:	simatic field pg m5	scope:	eq	version:	-	Trust: 1.0
vendor:	insyde	model:	insydeh2o	scope:	gte	version:	5.1	Trust: 1.0
vendor:	siemens	model:	simatic ipc677e	scope:	eq	version:	-	Trust: 1.0
vendor:	insyde	model:	insydeh2o	scope:	lt	version:	5.26.25	Trust: 1.0
vendor:	siemens	model:	simatic ipc227g	scope:	eq	version:	-	Trust: 1.0
vendor:	insyde	model:	insydeh2o	scope:	gte	version:	5.3	Trust: 1.0
vendor:	insyde	model:	insydeh2o	scope:	lt	version:	5.16.25	Trust: 1.0
vendor:	siemens	model:	simatic ipc427e	scope:	eq	version:	-	Trust: 1.0
vendor:	insyde	model:	insydeh2o	scope:	lt	version:	5.34.44	Trust: 1.0
vendor:	siemens	model:	simatic ipc327g	scope:	eq	version:	-	Trust: 1.0
vendor:	siemens	model:	simatic ipc127e	scope:	eq	version:	-	Trust: 1.0
vendor:	insyde	model:	insydeh2o	scope:	lt	version:	5.42.44	Trust: 1.0
vendor:	siemens	model:	simatic ipc277g	scope:	eq	version:	-	Trust: 1.0
vendor:	siemens	model:	simatic ipc477e pro	scope:	eq	version:	-	Trust: 1.0
vendor:	insyde	model:	insydeh2o	scope:	-	version:	-	Trust: 0.8
vendor:	insyde	model:	insydeh2o	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-007558 // NVD: CVE-2020-27339

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD:	CVE-2020-27339
value:	MEDIUM
Trust: 1.8
CNNVD:	CNNVD-202106-1324
value:	MEDIUM
Trust: 0.6

NVD:
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	FALSE
obtainAllPrivilege:	FALSE
obtainUserPrivilege:	FALSE
obtainOtherPrivilege:	FALSE
userInteractionRequired:	FALSE
version:	2.0
Trust: 1.0
NVD:	CVE-2020-27339
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8

NVD:
baseSeverity:	MEDIUM
baseScore:	6.7
vectorString:	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	0.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2020-27339
baseSeverity:	MEDIUM
baseScore:	6.7
vectorString:	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2021-007558 // NVD: CVE-2020-27339 // CNNVD: CNNVD-202106-1324

PROBLEMTYPE DATA

problemtype:	CWE-20	Trust: 1.0
problemtype:	Improper authority management (CWE-269) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-007558 // NVD: CVE-2020-27339

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202106-1324

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-202106-1324

CONFIGURATIONS

sources: NVD: CVE-2020-27339

PATCH

title:

INSYDE-SA-2021001

url:

https://www.insyde.com/security-pledge/sa-2021001

Trust: 0.8

sources: JVNDB: JVNDB-2021-007558

EXTERNAL IDS

db:	NVD	id:	CVE-2020-27339	Trust: 4.0
db:	SIEMENS	id:	SSA-306654	Trust: 1.6
db:	CERT/CC	id:	VU#796611	Trust: 0.8
db:	JVN	id:	JVNVU98748974	Trust: 0.8
db:	JVN	id:	JVNVU97136454	Trust: 0.8
db:	JVNDB	id:	JVNDB-2021-007558	Trust: 0.8
db:	LENOVO	id:	LEN-73436	Trust: 0.6
db:	CNNVD	id:	CNNVD-202106-1324	Trust: 0.6

sources: CERT/CC: VU#796611 // JVNDB: JVNDB-2021-007558 // NVD: CVE-2020-27339 // CNNVD: CNNVD-202106-1324

REFERENCES

url:	https://cert-portal.siemens.com/productcert/pdf/ssa-306654.pdf	Trust: 1.6
url:	https://security.netapp.com/advisory/ntap-20220216-0005/	Trust: 1.6
url:	https://www.insyde.com/security-pledge/sa-2021001	Trust: 1.6
url:	cve-2020-27339	Trust: 0.8
url:	cve-2020-5953	Trust: 0.8
url:	cve-2021-33625	Trust: 0.8
url:	cve-2021-33626	Trust: 0.8
url:	cve-2021-33627	Trust: 0.8
url:	cve-2021-41837	Trust: 0.8
url:	cve-2021-41838	Trust: 0.8
url:	cve-2021-41839	Trust: 0.8
url:	cve-2021-41840	Trust: 0.8
url:	cve-2021-41841	Trust: 0.8
url:	cve-2021-42059	Trust: 0.8
url:	cve-2021-42060	Trust: 0.8
url:	cve-2021-42113	Trust: 0.8
url:	cve-2021-42554	Trust: 0.8
url:	cve-2021-43323	Trust: 0.8
url:	cve-2021-43522	Trust: 0.8
url:	cve-2021-43615	Trust: 0.8
url:	cve-2021-45969	Trust: 0.8
url:	cve-2021-45970	Trust: 0.8
url:	cve-2021-45971	Trust: 0.8
url:	cve-2022-24030	Trust: 0.8
url:	cve-2022-24031	Trust: 0.8
url:	cve-2022-24069	Trust: 0.8
url:	cve-2022-28806	Trust: 0.8
url:	https://jvn.jp/vu/jvnvu97136454/index.html	Trust: 0.8
url:	https://jvn.jp/vu/jvnvu98748974/	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2020-27339	Trust: 0.8
url:	https://www.insyde.com/products	Trust: 0.6
url:	https://vigilance.fr/vulnerability/independent-bios-developers-multiple-vulnerabilities-via-uefi-37438	Trust: 0.6
url:	https://support.lenovo.com/us/en/product_security/len-73436	Trust: 0.6

sources: CERT/CC: VU#796611 // JVNDB: JVNDB-2021-007558 // NVD: CVE-2020-27339 // CNNVD: CNNVD-202106-1324

CREDITS

This document was written by Vijay Sarvepalli.Statement Date: March 01, 2022

Trust: 0.8

sources: CERT/CC: VU#796611

SOURCES

db:	CERT/CC	id:	VU#796611
db:	JVNDB	id:	JVNDB-2021-007558
db:	NVD	id:	CVE-2020-27339
db:	CNNVD	id:	CNNVD-202106-1324

LAST UPDATE DATE

2023-12-18T11:38:07.442000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#796611	date:	2022-04-26T00:00:00
db:	JVNDB	id:	JVNDB-2021-007558	date:	2022-02-28T07:09:00
db:	NVD	id:	CVE-2020-27339	date:	2022-07-12T17:42:04.277
db:	CNNVD	id:	CNNVD-202106-1324	date:	2022-07-14T00:00:00

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#796611	date:	2022-02-01T00:00:00
db:	JVNDB	id:	JVNDB-2021-007558	date:	2022-02-17T00:00:00
db:	NVD	id:	CVE-2020-27339	date:	2021-06-16T16:15:07.897
db:	CNNVD	id:	CNNVD-202106-1324	date:	2021-06-16T00:00:00