SSA-957369

Siemens Security Advisory by Siemens ProductCERT

SSA-957369: Insyde BIOS Vulnerabilities in RUGGEDCOM APE1808 Product Family

Publication Date:	2023-09-12
Last Update:	2023-09-12
Current Version:	V1.0
CVSS v3.1 Base Score:	8.2

SUMMARY

Insyde has published information on vulnerabilities in Insyde BIOS up to August 2023. These vulnerabilities also affect the RUGGEDCOM APE1808 product family.

Siemens has released updates for the affected products and recommends to update to the latest versions.

AFFECTED PRODUCTS AND SOLUTION

Affected Product and Versions	Remediation
RUGGEDCOM APE1808 ADM (6GK6015-0AL20-0GL0) All BIOS versions < V1.0.212N	Update BIOS to V1.0.212N or later version https://support.industry.siemens.com/cs/in/en/view/109814796
RUGGEDCOM APE1808 ADM CC (6GK6015-0AL20-0GL1) All BIOS versions < V1.0.212N	Update BIOS to V1.0.212N or later version https://support.industry.siemens.com/cs/in/en/view/109814796
RUGGEDCOM APE1808 CKP (6GK6015-0AL20-0GK0) All BIOS versions < V1.0.212N	Update BIOS to V1.0.212N or later version https://support.industry.siemens.com/cs/in/en/view/109814796
RUGGEDCOM APE1808 CKP CC (6GK6015-0AL20-0GK1) All BIOS versions < V1.0.212N	Update BIOS to V1.0.212N or later version https://support.industry.siemens.com/cs/in/en/view/109814796
RUGGEDCOM APE1808 CLOUDCONNECT (6GK6015-0AL20-0GM0) All BIOS versions < V1.0.212N	Update BIOS to V1.0.212N or later version https://support.industry.siemens.com/cs/in/en/view/109814796
RUGGEDCOM APE1808 CLOUDCONNECT CC (6GK6015-0AL20-0GM1) All BIOS versions < V1.0.212N	Update BIOS to V1.0.212N or later version https://support.industry.siemens.com/cs/in/en/view/109814796
RUGGEDCOM APE1808 ELAN (6GK6015-0AL20-0GP0) All BIOS versions < V1.0.212N	Update BIOS to V1.0.212N or later version https://support.industry.siemens.com/cs/in/en/view/109814796
RUGGEDCOM APE1808 ELAN CC (6GK6015-0AL20-0GP1) All BIOS versions < V1.0.212N	Update BIOS to V1.0.212N or later version https://support.industry.siemens.com/cs/in/en/view/109814796
RUGGEDCOM APE1808 SAM-L (6GK6015-0AL20-0GN0) All BIOS versions < V1.0.212N	Update BIOS to V1.0.212N or later version https://support.industry.siemens.com/cs/in/en/view/109814796
RUGGEDCOM APE1808 SAM-L CC (6GK6015-0AL20-0GN1) All BIOS versions < V1.0.212N	Update BIOS to V1.0.212N or later version https://support.industry.siemens.com/cs/in/en/view/109814796
RUGGEDCOM APE1808CLA-P (6GK6015-0AL20-1AA0) All BIOS versions < V1.0.212N	Update BIOS to V1.0.212N or later version https://support.industry.siemens.com/cs/in/en/view/109814796
RUGGEDCOM APE1808CLA-P CC (6GK6015-0AL20-1AA1) All BIOS versions < V1.0.212N	Update BIOS to V1.0.212N or later version https://support.industry.siemens.com/cs/in/en/view/109814796
RUGGEDCOM APE1808CLA-S1 (6GK6015-0AL20-1AB0) All BIOS versions < V1.0.212N	Update BIOS to V1.0.212N or later version https://support.industry.siemens.com/cs/in/en/view/109814796
RUGGEDCOM APE1808CLA-S1 CC (6GK6015-0AL20-1AB1) All BIOS versions < V1.0.212N	Update BIOS to V1.0.212N or later version https://support.industry.siemens.com/cs/in/en/view/109814796
RUGGEDCOM APE1808CLA-S3 (6GK6015-0AL20-1AD0) All BIOS versions < V1.0.212N	Update BIOS to V1.0.212N or later version https://support.industry.siemens.com/cs/in/en/view/109814796
RUGGEDCOM APE1808CLA-S3 CC (6GK6015-0AL20-1AD1) All BIOS versions < V1.0.212N	Update BIOS to V1.0.212N or later version https://support.industry.siemens.com/cs/in/en/view/109814796
RUGGEDCOM APE1808CLA-S5 (6GK6015-0AL20-1AF0) All BIOS versions < V1.0.212N	Update BIOS to V1.0.212N or later version https://support.industry.siemens.com/cs/in/en/view/109814796
RUGGEDCOM APE1808CLA-S5 CC (6GK6015-0AL20-1AF1) All BIOS versions < V1.0.212N	Update BIOS to V1.0.212N or later version https://support.industry.siemens.com/cs/in/en/view/109814796
RUGGEDCOM APE1808LNX (6GK6015-0AL20-0GH0) All BIOS versions < V1.0.212N	Update BIOS to V1.0.212N or later version https://support.industry.siemens.com/cs/in/en/view/109814796
RUGGEDCOM APE1808LNX CC (6GK6015-0AL20-0GH1) All BIOS versions < V1.0.212N	Update BIOS to V1.0.212N or later version https://support.industry.siemens.com/cs/in/en/view/109814796
RUGGEDCOM APE1808W10 (6GK6015-0AL20-0GJ0) All BIOS versions < V1.0.212N	Update BIOS to V1.0.212N or later version https://support.industry.siemens.com/cs/in/en/view/109814796
RUGGEDCOM APE1808W10 CC (6GK6015-0AL20-0GJ1) All BIOS versions < V1.0.212N	Update BIOS to V1.0.212N or later version https://support.industry.siemens.com/cs/in/en/view/109814796

WORKAROUNDS AND MITIGATIONS

Product-specific remediations or mitigations can be found in the section Affected Products and Solution.
Please follow the General Security Recommendations.

GENERAL SECURITY RECOMMENDATIONS

As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity

PRODUCT DESCRIPTION

The RUGGEDCOM APE1808 is a powerful utility-grade application hosting platform that lets you deploy a range of commercially available applications for edge computing and cybersecurity in harsh, industrial environments.

VULNERABILITY CLASSIFICATION

Un-/Collapse All

The vulnerability classification has been performed by using the CVSS scoring system in version 3.1 (CVSS v3.1) (https://www.first.org/cvss/). The CVSS environmental score is specific to the customer’s environment and will impact the overall CVSS score. The environmental score should therefore be individually defined by the customer to accomplish final scoring.

An additional classification has been performed using the CWE classification, a community-developed list of common software security weaknesses. This serves as a common language and as a baseline for weakness identification, mitigation, and prevention efforts. A detailed list of CWE classes can be found at: https://cwe.mitre.org/.

Vulnerability CVE-2017-5715

An attacker with local access to the system could potentially disclose information from protected memory areas via a side-channel attack on the processor cache.

CVSS v3.1 Base Score	5.9
CVSS Vector	CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C
CWE	CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Vulnerability CVE-2021-38578

Existing CommBuffer checks in SmmEntryPoint will not catch underflow when computing BufferSize.

CVSS v3.1 Base Score	8.2
CVSS Vector	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
CWE	CWE-124: Buffer Underwrite ('Buffer Underflow')

Vulnerability CVE-2022-24350

An issue was discovered in IhisiSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. IHISI function 0x17 verifies that the output buffer lies within the command buffer but does not verify that output data does not go beyond the end of the command buffer. In particular, the GetFlashTable function is called directly on the Command Buffer before the DataSize is check, leading to possible circumstances where the data immediately following the command buffer could be destroyed before returning a buffer size error.

CVSS v3.1 Base Score	5.5
CVSS Vector	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
CWE	CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Vulnerability CVE-2022-24351

Using SPI injection, it is possible to modify the FDM contents after it has been measured. This TOCTOU attack could be used to alter data and code used by the remainder of the boot process.

CVSS v3.1 Base Score	5.9
CVSS Vector	CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N/E:P/RL:O/RC:C
CWE	CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition

Vulnerability CVE-2022-27405

Some versions of InsydeH2O use the FreeType tools to embed fonts into the BIOS. InsydeH2O does not use the FreeType API at runtime and usage during build time does not produce a vulnerability in the BIOS. The CVSS reflects this limited usage.

CVSS v3.1 Base Score	3.6
CVSS Vector	CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
CWE	CWE-125: Out-of-bounds Read

Vulnerability CVE-2022-29275

In UsbCoreDxe, untrusted input may allow SMRAM or OS memory tampering Use of untrusted pointers could allow OS or SMRAM memory tampering leading to escalation of privileges. This issue was discovered by Insyde during security review. https://www.insyde.com/security-pledge/SA-2022058

CVSS v3.1 Base Score	7.8
CVSS Vector	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
CWE	CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

Vulnerability CVE-2022-30283

In UsbCoreDxe, tampering with the contents of the USB working buffer using DMA while certain USB transactions are in process leads to a TOCTOU problem that could be used by an attacker to cause SMRAM corruption and escalation of privileges The UsbCoreDxe module creates a working buffer for USB transactions outside of SMRAM. The code which uses can be inside of SMM, making the working buffer untrusted input. The buffer can be corrupted by DMA transfers. The SMM code code attempts to sanitize pointers to ensure all pointers refer to the working buffer, but when a pointer is not found in the list of pointers to sanitize, the current action is not aborted, leading to undefined behavior. This issue was discovered by Insyde engineering based on the general description provided by Intel's iSTARE group. Fixed in: Kernel 5.0: Version 05.09. 21 Kernel 5.1: Version 05.17.21 Kernel 5.2: Version 05.27.21 Kernel 5.3: Version 05.36.21 Kernel 5.4: Version 05.44.21 Kernel 5.5: Version 05.52.21 https://www.insyde.com/security-pledge/SA-2022063

CVSS v3.1 Base Score	7.5
CVSS Vector	CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
CWE	CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition

Vulnerability CVE-2022-30772

Manipulation of the input address in PnpSmm function 0x52 could be used by malware to overwrite SMRAM or OS kernel memory. Function 0x52 of the PnpSmm driver is passed the address and size of data to write into the SMBIOS table, but manipulation of the address could be used by malware to overwrite SMRAM or OS kernel memory. This issue was discovered by Insyde engineering during a security review. This issue is fixed in: Kernel 5.0: 05.09.41 Kernel 5.1: 05.17.43 Kernel 5.2: 05.27.30 Kernel 5.3: 05.36.30 Kernel 5.4: 05.44.30 Kernel 5.5: 05.52.30 https://www.insyde.com/security-pledge/SA-2022065

CVSS v3.1 Base Score	7.2
CVSS Vector	CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:H/E:P/RL:O/RC:C
CWE	CWE-787: Out-of-bounds Write

Vulnerability CVE-2022-32469

DMA attacks on the PnpSmm shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges.

CVSS v3.1 Base Score	8.2
CVSS Vector	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
CWE	CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition

Vulnerability CVE-2022-32470

DMA attacks on the FwBlockServiceSmm shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges.

CVSS v3.1 Base Score	8.2
CVSS Vector	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
CWE	CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition

Vulnerability CVE-2022-32471

DMA attacks on the IHISI command buffer could cause TOCTOU issues which could lead to corruption of SMRAM and escalation of privileges.

CVSS v3.1 Base Score	8.2
CVSS Vector	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
CWE	CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition

Vulnerability CVE-2022-32475

DMA attacks on the VariableRuntimeDxe shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges.

CVSS v3.1 Base Score	8.2
CVSS Vector	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
CWE	CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition

Vulnerability CVE-2022-32477

DMA attacks on the FvbServicesRuntimeDxe shared buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges.

CVSS v3.1 Base Score	8.2
CVSS Vector	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
CWE	CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition

Vulnerability CVE-2022-32953

DMA attacks on the SdHostDriver buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges.

CVSS v3.1 Base Score	7.8
CVSS Vector	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
CWE	CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition

Vulnerability CVE-2022-32954

DMA attacks on the SdMmcDevice buffer used by SMM and non-SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges.

CVSS v3.1 Base Score	7.8
CVSS Vector	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
CWE	CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition

Vulnerability CVE-2022-35893

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. An SMM memory corruption vulnerability in the FvbServicesRuntimeDxe driver allows an attacker to write fixed or predictable data to SMRAM. Exploiting this issue could lead to escalating privileges to SMM.

CVSS v3.1 Base Score	8.2
CVSS Vector	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
CWE	CWE-20: Improper Input Validation

Vulnerability CVE-2022-35894

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. The SMI handler for the FwBlockServiceSmm driver uses an untrusted pointer as the location to copy data to an attacker-specified buffer, leading to information disclosure.

CVSS v3.1 Base Score	6.0
CVSS Vector	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C
CWE	CWE-401: Missing Release of Memory after Effective Lifetime

Vulnerability CVE-2022-35895

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. The FwBlockSericceSmm driver does not properly validate input parameters for a software SMI routine, leading to memory corruption of arbitrary addresses including SMRAM, and possible arbitrary code execution.

CVSS v3.1 Base Score	8.2
CVSS Vector	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
CWE	CWE-787: Out-of-bounds Write

Vulnerability CVE-2022-35896

An issue SMM memory leak vulnerability in SMM driver (SMRAM was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. An attacker can dump SMRAM contents via the software SMI provided by the FvbServicesRuntimeDxe driver to read the contents of SMRAM, leading to information disclosure.

CVSS v3.1 Base Score	6.0
CVSS Vector	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C
CWE	CWE-20: Improper Input Validation

Vulnerability CVE-2022-36338

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. An SMM callout vulnerability in the SMM driver FwBlockServiceSmm, creating SMM, leads to arbitrary code execution. An attacker can replace the pointer to the UEFI boot service GetVariable with a pointer to malware, and then generate a software SMI.

CVSS v3.1 Base Score	7.5
CVSS Vector	CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
CWE	CWE-20: Improper Input Validation

Vulnerability CVE-2023-24932

An attacker who has physical access or Administrative rights to a target device could install an affected boot policy which could bypass Security Boot.

CVSS v3.1 Base Score	6.7
CVSS Vector	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
CWE	CWE-358: Improperly Implemented Security Check for Standard

Vulnerability CVE-2023-27373

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. Due to insufficient input validation, an attacker can tamper with a runtime-accessible EFI variable to cause a dynamic BAR setting to overlap SMRAM.

CVSS v3.1 Base Score	5.5
CVSS Vector	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
CWE	CWE-20: Improper Input Validation

Vulnerability CVE-2023-31041

An issue was discovered in SysPasswordDxe in Insyde InsydeH2O with kernel 5.0 through 5.5. System password information could optionally be stored in cleartext, which might lead to possible information disclosure.

CVSS v3.1 Base Score	5.1
CVSS Vector	CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
CWE	CWE-256: Plaintext Storage of a Password

ADDITIONAL INFORMATION

For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT:

https://www.siemens.com/cert/advisories

HISTORY DATA

V1.0 (2023-09-12):

Publication Date

Siemens Security Advisories are subject to the terms and conditions contained in Siemens’ underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter "License Terms"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens’ Global Website (https://www.siemens.com/ terms_of_use, hereinafter "Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use.