-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 # SSA-957369: Insyde BIOS Vulnerabilities in RUGGEDCOM APE1808 Product Family Publication Date: 2023-09-12 Last Update: 2023-09-12 Current Version: 1.0 CVSS v3.1 Base Score: 8.2 SUMMARY ======= Insyde has published information on vulnerabilities in Insyde BIOS up to August 2023. These vulnerabilities also affect the RUGGEDCOM APE1808 product family. Siemens has released updates for the affected products and recommends to update to the latest versions. AFFECTED PRODUCTS AND SOLUTION ============================== * RUGGEDCOM APE1808 ADM (6GK6015-0AL20-0GL0) - Affected versions: All BIOS versions < V1.0.212N - Remediation: Update BIOS to V1.0.212N or later version - Download: https://support.industry.siemens.com/cs/in/en/view/109814796 * RUGGEDCOM APE1808 ADM CC (6GK6015-0AL20-0GL1) - Affected versions: All BIOS versions < V1.0.212N - Remediation: Update BIOS to V1.0.212N or later version - Download: https://support.industry.siemens.com/cs/in/en/view/109814796 * RUGGEDCOM APE1808 CKP (6GK6015-0AL20-0GK0) - Affected versions: All BIOS versions < V1.0.212N - Remediation: Update BIOS to V1.0.212N or later version - Download: https://support.industry.siemens.com/cs/in/en/view/109814796 * RUGGEDCOM APE1808 CKP CC (6GK6015-0AL20-0GK1) - Affected versions: All BIOS versions < V1.0.212N - Remediation: Update BIOS to V1.0.212N or later version - Download: https://support.industry.siemens.com/cs/in/en/view/109814796 * RUGGEDCOM APE1808 CLOUDCONNECT (6GK6015-0AL20-0GM0) - Affected versions: All BIOS versions < V1.0.212N - Remediation: Update BIOS to V1.0.212N or later version - Download: https://support.industry.siemens.com/cs/in/en/view/109814796 * RUGGEDCOM APE1808 CLOUDCONNECT CC (6GK6015-0AL20-0GM1) - Affected versions: All BIOS versions < V1.0.212N - Remediation: Update BIOS to V1.0.212N or later version - Download: https://support.industry.siemens.com/cs/in/en/view/109814796 * RUGGEDCOM APE1808 ELAN (6GK6015-0AL20-0GP0) - Affected versions: All BIOS versions < V1.0.212N - Remediation: Update BIOS to V1.0.212N or later version - Download: https://support.industry.siemens.com/cs/in/en/view/109814796 * RUGGEDCOM APE1808 ELAN CC (6GK6015-0AL20-0GP1) - Affected versions: All BIOS versions < V1.0.212N - Remediation: Update BIOS to V1.0.212N or later version - Download: https://support.industry.siemens.com/cs/in/en/view/109814796 * RUGGEDCOM APE1808 SAM-L (6GK6015-0AL20-0GN0) - Affected versions: All BIOS versions < V1.0.212N - Remediation: Update BIOS to V1.0.212N or later version - Download: https://support.industry.siemens.com/cs/in/en/view/109814796 * RUGGEDCOM APE1808 SAM-L CC (6GK6015-0AL20-0GN1) - Affected versions: All BIOS versions < V1.0.212N - Remediation: Update BIOS to V1.0.212N or later version - Download: https://support.industry.siemens.com/cs/in/en/view/109814796 * RUGGEDCOM APE1808CLA-P (6GK6015-0AL20-1AA0) - Affected versions: All BIOS versions < V1.0.212N - Remediation: Update BIOS to V1.0.212N or later version - Download: https://support.industry.siemens.com/cs/in/en/view/109814796 * RUGGEDCOM APE1808CLA-P CC (6GK6015-0AL20-1AA1) - Affected versions: All BIOS versions < V1.0.212N - Remediation: Update BIOS to V1.0.212N or later version - Download: https://support.industry.siemens.com/cs/in/en/view/109814796 * RUGGEDCOM APE1808CLA-S1 (6GK6015-0AL20-1AB0) - Affected versions: All BIOS versions < V1.0.212N - Remediation: Update BIOS to V1.0.212N or later version - Download: https://support.industry.siemens.com/cs/in/en/view/109814796 * RUGGEDCOM APE1808CLA-S1 CC (6GK6015-0AL20-1AB1) - Affected versions: All BIOS versions < V1.0.212N - Remediation: Update BIOS to V1.0.212N or later version - Download: https://support.industry.siemens.com/cs/in/en/view/109814796 * RUGGEDCOM APE1808CLA-S3 (6GK6015-0AL20-1AD0) - Affected versions: All BIOS versions < V1.0.212N - Remediation: Update BIOS to V1.0.212N or later version - Download: https://support.industry.siemens.com/cs/in/en/view/109814796 * RUGGEDCOM APE1808CLA-S3 CC (6GK6015-0AL20-1AD1) - Affected versions: All BIOS versions < V1.0.212N - Remediation: Update BIOS to V1.0.212N or later version - Download: https://support.industry.siemens.com/cs/in/en/view/109814796 * RUGGEDCOM APE1808CLA-S5 (6GK6015-0AL20-1AF0) - Affected versions: All BIOS versions < V1.0.212N - Remediation: Update BIOS to V1.0.212N or later version - Download: https://support.industry.siemens.com/cs/in/en/view/109814796 * RUGGEDCOM APE1808CLA-S5 CC (6GK6015-0AL20-1AF1) - Affected versions: All BIOS versions < V1.0.212N - Remediation: Update BIOS to V1.0.212N or later version - Download: https://support.industry.siemens.com/cs/in/en/view/109814796 * RUGGEDCOM APE1808LNX (6GK6015-0AL20-0GH0) - Affected versions: All BIOS versions < V1.0.212N - Remediation: Update BIOS to V1.0.212N or later version - Download: https://support.industry.siemens.com/cs/in/en/view/109814796 * RUGGEDCOM APE1808LNX CC (6GK6015-0AL20-0GH1) - Affected versions: All BIOS versions < V1.0.212N - Remediation: Update BIOS to V1.0.212N or later version - Download: https://support.industry.siemens.com/cs/in/en/view/109814796 * RUGGEDCOM APE1808W10 (6GK6015-0AL20-0GJ0) - Affected versions: All BIOS versions < V1.0.212N - Remediation: Update BIOS to V1.0.212N or later version - Download: https://support.industry.siemens.com/cs/in/en/view/109814796 * RUGGEDCOM APE1808W10 CC (6GK6015-0AL20-0GJ1) - Affected versions: All BIOS versions < V1.0.212N - Remediation: Update BIOS to V1.0.212N or later version - Download: https://support.industry.siemens.com/cs/in/en/view/109814796 WORKAROUNDS AND MITIGATIONS =========================== Product-specific remediations or mitigations can be found in the section "Affected Products and Solution". Please follow the "General Security Recommendations". GENERAL SECURITY RECOMMENDATIONS ================================ As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial- security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity PRODUCT DESCRIPTION =================== The RUGGEDCOM APE1808 is a powerful utility-grade application hosting platform that lets you deploy a range of commercially available applications for edge computing and cybersecurity in harsh, industrial environments. VULNERABILITY CLASSIFICATION ============================ The vulnerability classification has been performed by using the CVSS scoring system in version 3.1 (CVSS v3.1) (https://www.first.org/cvss/). The CVSS environmental score is specific to the customer's environment and will impact the overall CVSS score. The environmental score should therefore be individually defined by the customer to accomplish final scoring. An additional classification has been performed using the CWE classification, a community-developed list of common software security weaknesses. This serves as a common language and as a baseline for weakness identification, mitigation, and prevention efforts. A detailed list of CWE classes can be found at: https://cwe.mitre.org/. * Vulnerability CVE-2017-5715 An attacker with local access to the system could potentially disclose information from protected memory areas via a side-channel attack on the processor cache. CVSS v3.1 Base Score: 5.9 CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C CWE: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor * Vulnerability CVE-2021-38578 Existing CommBuffer checks in SmmEntryPoint will not catch underflow when computing BufferSize. CVSS v3.1 Base Score: 8.2 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C CWE: CWE-124: Buffer Underwrite ('Buffer Underflow') * Vulnerability CVE-2022-24350 An issue was discovered in IhisiSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. IHISI function 0x17 verifies that the output buffer lies within the command buffer but does not verify that output data does not go beyond the end of the command buffer. In particular, the GetFlashTable function is called directly on the Command Buffer before the DataSize is check, leading to possible circumstances where the data immediately following the command buffer could be destroyed before returning a buffer size error. CVSS v3.1 Base Score: 5.5 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C CWE: CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') * Vulnerability CVE-2022-24351 Using SPI injection, it is possible to modify the FDM contents after it has been measured. This TOCTOU attack could be used to alter data and code used by the remainder of the boot process. CVSS v3.1 Base Score: 5.9 CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N/E:P/RL:O/RC:C CWE: CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition * Vulnerability CVE-2022-27405 Some versions of InsydeH2O use the FreeType tools to embed fonts into the BIOS. InsydeH2O does not use the FreeType API at runtime and usage during build time does not produce a vulnerability in the BIOS. The CVSS reflects this limited usage. CVSS v3.1 Base Score: 3.6 CVSS Vector: CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C CWE: CWE-125: Out-of-bounds Read * Vulnerability CVE-2022-29275 In UsbCoreDxe, untrusted input may allow SMRAM or OS memory tampering Use of untrusted pointers could allow OS or SMRAM memory tampering leading to escalation of privileges. This issue was discovered by Insyde during security review. https://www.insyde.com/security- pledge/SA-2022058 CVSS v3.1 Base Score: 7.8 CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C CWE: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer * Vulnerability CVE-2022-30283 In UsbCoreDxe, tampering with the contents of the USB working buffer using DMA while certain USB transactions are in process leads to a TOCTOU problem that could be used by an attacker to cause SMRAM corruption and escalation of privileges The UsbCoreDxe module creates a working buffer for USB transactions outside of SMRAM. The code which uses can be inside of SMM, making the working buffer untrusted input. The buffer can be corrupted by DMA transfers. The SMM code code attempts to sanitize pointers to ensure all pointers refer to the working buffer, but when a pointer is not found in the list of pointers to sanitize, the current action is not aborted, leading to undefined behavior. This issue was discovered by Insyde engineering based on the general description provided by Intel's iSTARE group. Fixed in: Kernel 5.0: Version 05.09. 21 Kernel 5.1: Version 05.17.21 Kernel 5.2: Version 05.27.21 Kernel 5.3: Version 05.36.21 Kernel 5.4: Version 05.44.21 Kernel 5.5: Version 05.52.21 https://www.insyde.com/security-pledge/SA-2022063 CVSS v3.1 Base Score: 7.5 CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C CWE: CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition * Vulnerability CVE-2022-30772 Manipulation of the input address in PnpSmm function 0x52 could be used by malware to overwrite SMRAM or OS kernel memory. Function 0x52 of the PnpSmm driver is passed the address and size of data to write into the SMBIOS table, but manipulation of the address could be used by malware to overwrite SMRAM or OS kernel memory. This issue was discovered by Insyde engineering during a security review. This issue is fixed in: Kernel 5.0: 05.09.41 Kernel 5.1: 05.17.43 Kernel 5.2: 05.27.30 Kernel 5.3: 05.36.30 Kernel 5.4: 05.44.30 Kernel 5.5: 05.52.30 https://www.insyde.com/security- pledge/SA-2022065 CVSS v3.1 Base Score: 7.2 CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:H/E:P/RL:O/RC:C CWE: CWE-787: Out-of-bounds Write * Vulnerability CVE-2022-32469 DMA attacks on the PnpSmm shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. CVSS v3.1 Base Score: 8.2 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C CWE: CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition * Vulnerability CVE-2022-32470 DMA attacks on the FwBlockServiceSmm shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. CVSS v3.1 Base Score: 8.2 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C CWE: CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition * Vulnerability CVE-2022-32471 DMA attacks on the IHISI command buffer could cause TOCTOU issues which could lead to corruption of SMRAM and escalation of privileges. CVSS v3.1 Base Score: 8.2 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C CWE: CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition * Vulnerability CVE-2022-32475 DMA attacks on the VariableRuntimeDxe shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. CVSS v3.1 Base Score: 8.2 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C CWE: CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition * Vulnerability CVE-2022-32477 DMA attacks on the FvbServicesRuntimeDxe shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. CVSS v3.1 Base Score: 8.2 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C CWE: CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition * Vulnerability CVE-2022-32953 DMA attacks on the SdHostDriver buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. CVSS v3.1 Base Score: 7.8 CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C CWE: CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition * Vulnerability CVE-2022-32954 DMA attacks on the SdMmcDevice buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. CVSS v3.1 Base Score: 7.8 CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C CWE: CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition * Vulnerability CVE-2022-35893 An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. An SMM memory corruption vulnerability in the FvbServicesRuntimeDxe driver allows an attacker to write fixed or predictable data to SMRAM. Exploiting this issue could lead to escalating privileges to SMM. CVSS v3.1 Base Score: 8.2 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C CWE: CWE-20: Improper Input Validation * Vulnerability CVE-2022-35894 An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. The SMI handler for the FwBlockServiceSmm driver uses an untrusted pointer as the location to copy data to an attacker- specified buffer, leading to information disclosure. CVSS v3.1 Base Score: 6.0 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C CWE: CWE-401: Missing Release of Memory after Effective Lifetime * Vulnerability CVE-2022-35895 An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. The FwBlockSericceSmm driver does not properly validate input parameters for a software SMI routine, leading to memory corruption of arbitrary addresses including SMRAM, and possible arbitrary code execution. CVSS v3.1 Base Score: 8.2 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C CWE: CWE-787: Out-of-bounds Write * Vulnerability CVE-2022-35896 An issue SMM memory leak vulnerability in SMM driver (SMRAM was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. An attacker can dump SMRAM contents via the software SMI provided by the FvbServicesRuntimeDxe driver to read the contents of SMRAM, leading to information disclosure. CVSS v3.1 Base Score: 6.0 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C CWE: CWE-20: Improper Input Validation * Vulnerability CVE-2022-36338 An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. An SMM callout vulnerability in the SMM driver FwBlockServiceSmm, creating SMM, leads to arbitrary code execution. An attacker can replace the pointer to the UEFI boot service GetVariable with a pointer to malware, and then generate a software SMI. CVSS v3.1 Base Score: 7.5 CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C CWE: CWE-20: Improper Input Validation * Vulnerability CVE-2023-24932 An attacker who has physical access or Administrative rights to a target device could install an affected boot policy which could bypass Security Boot. CVSS v3.1 Base Score: 6.7 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C CWE: CWE-358: Improperly Implemented Security Check for Standard * Vulnerability CVE-2023-27373 An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. Due to insufficient input validation, an attacker can tamper with a runtime-accessible EFI variable to cause a dynamic BAR setting to overlap SMRAM. CVSS v3.1 Base Score: 5.5 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C CWE: CWE-20: Improper Input Validation * Vulnerability CVE-2023-31041 An issue was discovered in SysPasswordDxe in Insyde InsydeH2O with kernel 5.0 through 5.5. System password information could optionally be stored in cleartext, which might lead to possible information disclosure. CVSS v3.1 Base Score: 5.1 CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C CWE: CWE-256: Plaintext Storage of a Password ADDITIONAL INFORMATION ====================== For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories HISTORY DATA ============ V1.0 (2023-09-12): Publication Date TERMS OF USE ============ Siemens Security Advisories are subject to the terms and conditions contained in Siemens' underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter "License Terms"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens' Global Website (https://www.siemens.com/terms_of_use, hereinafter "Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use. Copyright: Siemens 2023 -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEHyx/myPwjH9jB9tDlm7gTEmyujQFAmT/qgAACgkQlm7gTEmy ujQawhAAlFknu8DY6J7K01sFvRwmwcYOmURsWOwk04ANPIwgtBcXlRhtg8HycFAc AHiTJbi0bNyrYdqYJ4JnsKct5qkIFYi3IteGz3pGejS3dtxlH1bKzjW8pLMIBdde EMMYeC4SpHJnLshkJmL1UHVawkIPc0NoDBHVNF9uVgD5sRQti2Dy8++IBx4GVq0z fTray6KTxbkwk8VX9O08cb7ehdqsdUfvwimvpUxs+VBqRK5tQqjjOfabhawKryRT VRg/uRJDRZXGaMPuavXXZMBiAXIK57u3yVg0W2BHiRa8HtO22JXaGZf5SePyb6gh HJDjdbpWk79PE05jUJeZEnI35In6tVbCtT765rrKNd72VgUqCp0b8SBZuE5o3TaT /dXHWC4ILOZfPyaXsOaTPtah7QkJhaL6nId3vMurttziLtG6XTGDrHR+T7qLrfrA 96Rdby0pMv322h9X44mUBtUzGoR7iC+J5ENFyVHQM1TMTUWF/ALJyhgQ/wFQDHot mgPhJDC6f38FUjKaEmWL5yI7IV8c9DS87DRbx34bKj9A79p9E/fn/1FATu8Gf0oV SXlwIPQl4YRCQ3A1rkvPp5UB7WDbbtcoI7VY0K9N13VQmITxA78hoS9HbICUydBe v0ZwdVp6xEaTERvvNHybW0t5LrTzyCOJNoQY2ofjdRm8/ZjBvTA= =457N -----END PGP SIGNATURE-----