Details of VAR-202110-0264

ID

VAR-202110-0264

CVE

CVE-2021-33626

TITLE

InsydeH2O UEFI software impacted by multiple vulnerabilities in SMM

Trust: 0.8

sources: CERT/CC: VU#796611

DESCRIPTION

A vulnerability exists in SMM (System Management Mode) branch that registers a SWSMI handler that does not sufficiently check or validate the allocated buffer pointer(QWORD values for CommBuffer). This can be used by an attacker to corrupt data in SMRAM memory and even lead to arbitrary code execution. The InsydeH2O Hardware-2-Operating System (H2O) UEFI firmware contains multiple vulnerabilities related to memory management in System Management Mode (SMM).Vulnerability Category Count SMM Privilege Escalation 10 SMM Memory Corruption 12 DXE Memory Corruption 1CVE-2020-27339 Affected CVE-2020-5953 Affected CVE-2021-33625 Affected CVE-2021-33626 Affected CVE-2021-33627 Affected CVE-2021-41837 Affected CVE-2021-41838 Affected CVE-2021-41839 Affected CVE-2021-41840 Affected CVE-2021-41841 Affected CVE-2021-42059 Affected CVE-2021-42060 Not Affected CVE-2021-42113 Affected CVE-2021-42554 Affected CVE-2021-43323 Affected CVE-2021-43522 Affected CVE-2021-43615 Not Affected CVE-2021-45969 Not Affected CVE-2021-45970 Not Affected CVE-2021-45971 Not Affected CVE-2022-24030 Not Affected CVE-2022-24031 Not Affected CVE-2022-24069 Not Affected CVE-2022-28806 Unknown. InsydeH2O Includes a vulnerability in incorporating functionality from an untrusted control area.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. In the kernel in Insyde InsydeH2O 5.x, certain SMM drivers did not correctly validate the CommBuffer and CommBufferSize parameters, allowing callers to corrupt either the firmware or the OS memory. The fixed versions for this issue in the PnpSmm, SmmResourceCheckDxe, and BeepStatusCode drivers are 05.08.23, 05.16.23, 05.26.23, 05.35.23, 05.43.23, and 05.51.23 (for Kernel 5.0 up to and including 5.5)

Trust: 2.43

sources: NVD: CVE-2021-33626 // CERT/CC: VU#796611 // JVNDB: JVNDB-2021-007559 // VULMON: CVE-2021-33626

AFFECTED PRODUCTS

vendor:	siemens	model:	simatic ipc377g	scope:	eq	version:	-	Trust: 1.0
vendor:	siemens	model:	simatic itp1000	scope:	eq	version:	-	Trust: 1.0
vendor:	insyde	model:	insydeh2o	scope:	lt	version:	5.25.44	Trust: 1.0
vendor:	insyde	model:	insydeh2o	scope:	gte	version:	5.2	Trust: 1.0
vendor:	siemens	model:	simatic ipc647e	scope:	eq	version:	-	Trust: 1.0
vendor:	insyde	model:	insydeh2o	scope:	lt	version:	5.35.25	Trust: 1.0
vendor:	insyde	model:	insydeh2o	scope:	lt	version:	5.43.25	Trust: 1.0
vendor:	siemens	model:	simatic field pg m6	scope:	eq	version:	-	Trust: 1.0
vendor:	siemens	model:	ruggedcom apr1808	scope:	eq	version:	-	Trust: 1.0
vendor:	siemens	model:	simatic ipc477e	scope:	eq	version:	-	Trust: 1.0
vendor:	insyde	model:	insydeh2o	scope:	gte	version:	5.4	Trust: 1.0
vendor:	siemens	model:	simatic ipc627e	scope:	eq	version:	-	Trust: 1.0
vendor:	siemens	model:	simatic ipc847e	scope:	eq	version:	-	Trust: 1.0
vendor:	siemens	model:	simatic field pg m5	scope:	eq	version:	-	Trust: 1.0
vendor:	insyde	model:	insydeh2o	scope:	gte	version:	5.1	Trust: 1.0
vendor:	siemens	model:	simatic ipc677e	scope:	eq	version:	-	Trust: 1.0
vendor:	insyde	model:	insydeh2o	scope:	lt	version:	5.26.25	Trust: 1.0
vendor:	siemens	model:	simatic ipc227g	scope:	eq	version:	-	Trust: 1.0
vendor:	insyde	model:	insydeh2o	scope:	gte	version:	5.3	Trust: 1.0
vendor:	insyde	model:	insydeh2o	scope:	lt	version:	5.16.25	Trust: 1.0
vendor:	siemens	model:	simatic ipc427e	scope:	eq	version:	-	Trust: 1.0
vendor:	insyde	model:	insydeh2o	scope:	lt	version:	5.34.44	Trust: 1.0
vendor:	siemens	model:	simatic ipc327g	scope:	eq	version:	-	Trust: 1.0
vendor:	siemens	model:	simatic ipc127e	scope:	eq	version:	-	Trust: 1.0
vendor:	insyde	model:	insydeh2o	scope:	lt	version:	5.42.44	Trust: 1.0
vendor:	siemens	model:	simatic ipc277g	scope:	eq	version:	-	Trust: 1.0
vendor:	siemens	model:	simatic ipc477e pro	scope:	eq	version:	-	Trust: 1.0
vendor:	insyde	model:	insydeh2o	scope:	-	version:	-	Trust: 0.8
vendor:	insyde	model:	insydeh2o	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-007559 // NVD: CVE-2021-33626

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD:	CVE-2021-33626
value:	HIGH
Trust: 1.8
CNNVD:	CNNVD-202109-2000
value:	HIGH
Trust: 0.6

NVD:
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	FALSE
obtainAllPrivilege:	FALSE
obtainUserPrivilege:	FALSE
obtainOtherPrivilege:	FALSE
userInteractionRequired:	FALSE
version:	2.0
Trust: 1.0
NVD:	CVE-2021-33626
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8

NVD:
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2021-33626
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2021-007559 // NVD: CVE-2021-33626 // CNNVD: CNNVD-202109-2000

PROBLEMTYPE DATA

problemtype:	CWE-829	Trust: 1.0
problemtype:	Incorporating features from untrusted control areas (CWE-829) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-007559 // NVD: CVE-2021-33626

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202109-2000

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202109-2000

CONFIGURATIONS

sources: NVD: CVE-2021-33626

PATCH

title:

Insyde's Security Pledge Security Advisory

url:

https://www.insyde.com/security-pledge

Trust: 0.8

sources: JVNDB: JVNDB-2021-007559

EXTERNAL IDS

db:	NVD	id:	CVE-2021-33626	Trust: 4.1
db:	SIEMENS	id:	SSA-306654	Trust: 1.6
db:	CERT/CC	id:	VU#796611	Trust: 0.8
db:	JVN	id:	JVNVU98748974	Trust: 0.8
db:	JVN	id:	JVNVU97136454	Trust: 0.8
db:	JVNDB	id:	JVNDB-2021-007559	Trust: 0.8
db:	LENOVO	id:	LEN-73436	Trust: 0.6
db:	CNNVD	id:	CNNVD-202109-2000	Trust: 0.6
db:	VULMON	id:	CVE-2021-33626	Trust: 0.1

sources: CERT/CC: VU#796611 // VULMON: CVE-2021-33626 // JVNDB: JVNDB-2021-007559 // NVD: CVE-2021-33626 // CNNVD: CNNVD-202109-2000

REFERENCES

url:	https://www.insyde.com/security-pledge/sa-2021001	Trust: 1.7
url:	https://cert-portal.siemens.com/productcert/pdf/ssa-306654.pdf	Trust: 1.6
url:	https://security.netapp.com/advisory/ntap-20220216-0006/	Trust: 1.6
url:	https://www.insyde.com/security-pledge	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2021-33626	Trust: 1.4
url:	cve-2020-27339	Trust: 0.8
url:	cve-2020-5953	Trust: 0.8
url:	cve-2021-33625	Trust: 0.8
url:	cve-2021-33626	Trust: 0.8
url:	cve-2021-33627	Trust: 0.8
url:	cve-2021-41837	Trust: 0.8
url:	cve-2021-41838	Trust: 0.8
url:	cve-2021-41839	Trust: 0.8
url:	cve-2021-41840	Trust: 0.8
url:	cve-2021-41841	Trust: 0.8
url:	cve-2021-42059	Trust: 0.8
url:	cve-2021-42060	Trust: 0.8
url:	cve-2021-42113	Trust: 0.8
url:	cve-2021-42554	Trust: 0.8
url:	cve-2021-43323	Trust: 0.8
url:	cve-2021-43522	Trust: 0.8
url:	cve-2021-43615	Trust: 0.8
url:	cve-2021-45969	Trust: 0.8
url:	cve-2021-45970	Trust: 0.8
url:	cve-2021-45971	Trust: 0.8
url:	cve-2022-24030	Trust: 0.8
url:	cve-2022-24031	Trust: 0.8
url:	cve-2022-24069	Trust: 0.8
url:	cve-2022-28806	Trust: 0.8
url:	https://jvn.jp/vu/jvnvu97136454/index.html	Trust: 0.8
url:	https://jvn.jp/vu/jvnvu98748974/	Trust: 0.8
url:	https://vigilance.fr/vulnerability/independent-bios-developers-multiple-vulnerabilities-via-uefi-37438	Trust: 0.6
url:	https://support.lenovo.com/us/en/product_security/len-73436	Trust: 0.6
url:	https://nvd.nist.gov	Trust: 0.1

sources: CERT/CC: VU#796611 // VULMON: CVE-2021-33626 // JVNDB: JVNDB-2021-007559 // NVD: CVE-2021-33626 // CNNVD: CNNVD-202109-2000

CREDITS

This document was written by Vijay Sarvepalli.Statement Date: March 01, 2022

Trust: 0.8

sources: CERT/CC: VU#796611

SOURCES

db:	CERT/CC	id:	VU#796611
db:	VULMON	id:	CVE-2021-33626
db:	JVNDB	id:	JVNDB-2021-007559
db:	NVD	id:	CVE-2021-33626
db:	CNNVD	id:	CNNVD-202109-2000

LAST UPDATE DATE

2023-12-18T11:10:01.956000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#796611	date:	2022-04-26T00:00:00
db:	VULMON	id:	CVE-2021-33626	date:	2021-10-01T00:00:00
db:	JVNDB	id:	JVNDB-2021-007559	date:	2022-02-28T07:09:00
db:	NVD	id:	CVE-2021-33626	date:	2022-04-24T02:03:42.070
db:	CNNVD	id:	CNNVD-202109-2000	date:	2022-03-10T00:00:00

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#796611	date:	2022-02-01T00:00:00
db:	VULMON	id:	CVE-2021-33626	date:	2021-10-01T00:00:00
db:	JVNDB	id:	JVNDB-2021-007559	date:	2022-02-17T00:00:00
db:	NVD	id:	CVE-2021-33626	date:	2021-10-01T03:15:06.593
db:	CNNVD	id:	CNNVD-202109-2000	date:	2021-09-30T00:00:00