Siemens RUGGEDCOM APE 1808

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories CERT Services | Services |...

Siemens Industrial Products Uncontrolled Resource Consumption (CVE-2019-11479)

Multiple industrial products are affected by a vulnerability in the kernel known as TCP SACK PANIC. An attacker with network access to affected products could cause a denial of service condition because of a vulnerability in the TCP retransmission queue implementation kernel when handling TCP...

Siemens Industrial Products Uncontrolled Resource Consumption (CVE-2019-11478)

Multiple industrial products are affected by a vulnerability in the kernel known as TCP SACK PANIC. A remote attacker could cause a denial of service condition by sending specially crafted TCP Selective Acknowledgment SACK sequences to affected products. This plugin only works with Tenable.ot...

Siemens InsydeH2O Time-of-check Time-of-use Race Condition (CVE-2022-32478)

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. DMA attacks on the IdeBusDxe shared buffer used by SMM and non- SMM code could cause TOCTOU race-condition issues that could lead to corruption of SMRAM and escalation of privileges. This attack can be mitigated using IOMMU...

Siemens InsydeH2O Out-of-bounds Write (CVE-2021-43615)

An issue was discovered in HddPassword in Insyde InsydeH2O with kernel 5.1 before 05.16.23, 5.2 before 05.26.23, 5.3 before 05.35.23, 5.4 before 05.43.22, and 5.5 before 05.51.22. An SMM memory corruption vulnerability allows an attacker to write fixed or predictable data to SMRAM. Exploiting thi...

Siemens InsydeH2O Out-of-bounds Write (CVE-2023-22612)

An issue was discovered in IhisiSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. A malicious host OS can invoke an Insyde SMI handler with malformed arguments, resulting in memory corruption in SMM. Insyde BIOS is typically used in RUGGEDCOM APE products and some SIMATIC devices. Please refer...

Siemens InsydeH2O SMM Privilege Escalation (CVE-2021-42113)

An issue was discovered in StorageSecurityCommandDxe in Insyde InsydeH2O with Kernel 5.1 before 05.14.28, Kernel 5.2 before 05.24.28, and Kernel 5.3 before 05.32.25. An SMM callout vulnerability allows an attacker to hijack execution flow of code running in System Management Mode. Exploiting this...

Siemens InsydeH2O Out-of-bounds Write (CVE-2021-42554)

An issue was discovered in Insyde InsydeH2O with Kernel 5.0 before 05.08.42, Kernel 5.1 before 05.16.42, Kernel 5.2 before 05.26.42, Kernel 5.3 before 05.35.42, Kernel 5.4 before 05.42.51, and Kernel 5.5 before 05.50.51. An SMM memory corruption vulnerability in FvbServicesRuntimeDxe allows a...

Siemens InsydeH2O Time-of-check Time-of-use Race Condition (CVE-2022-34325)

DMA transactions which are targeted at input buffers used for the StorageSecurityCommandDxe software SMI handler could cause SMRAM corruption through a TOCTOU attack. DMA transactions which are targeted at input buffers used for the software SMI handler used by the StorageSecurityCommandDxe drive...

Siemens InsydeH2O Missing Release of Memory after Effective Lifetime (CVE-2022-35894)

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. The SMI handler for the FwBlockServiceSmm driver uses an untrusted pointer as the location to copy data to an attacker- specified buffer, leading to information disclosure. Insyde BIOS is typically used in RUGGEDCOM APE...

Siemens InsydeH2O Privilege Escalation (CVE-2020-5955)

An issue was discovered in Int15MicrocodeSmm in Insyde InsydeH2O before 2021-10-14 on Intel client chipsets. A caller may be able to escalate privileges. Insyde BIOS is typically used in RUGGEDCOM APE products and some SIMATIC devices. Please refer to the vendor advisory for a precise list of...

Siemens InsydeH2O Improper Restriction of Operations within the Bounds of a Memory Buffer (CVE-2021-41837)

An issue was discovered in AhciBusDxe in the kernel 5.0 through 5.5 in Insyde InsydeH2O. Because of an Untrusted Pointer Dereference that causes SMM memory corruption, an attacker may be able to write fixed or predictable data to SMRAM. Exploiting this issue could lead to escalating privileges to...

Siemens InsydeH2O Improper Restriction of Operations within the Bounds of a Memory Buffer (CVE-2021-33627)

An issue was discovered in Insyde InsydeH2O 5.x, affecting FwBlockServiceSmm. Software SMI services that use the Communicate function of the EFISMMCOMMUNICATIONPROTOCOL do not check whether the address of the buffer is valid, which allows use of SMRAM, MMIO, or OS kernel addresses Insyde BIOS is...

Siemens InsydeH2O Improper Input Validation (CVE-2020-27339)

In the kernel in Insyde InsydeH2O 5.x, certain SMM drivers did not correctly validate the CommBuffer and CommBufferSize parameters, allowing callers to corrupt either the firmware or the OS memory. The fixed versions for this issue in the AhciBusDxe, IdeBusDxe, NvmExpressDxe, SdHostDriverDxe, and...

Siemens InsydeH2O Improper Restriction of Operations within the Bounds of a Memory Buffer (CVE-2021-41839)

An issue was discovered in NvmExpressDxe in the kernel 5.0 through 5.5 in Insyde InsydeH2O. Because of an Untrusted Pointer Dereference that causes SMM memory corruption, an attacker may be able to write fixed or predictable data to SMRAM. Exploiting this issue could lead to escalating privileges...

Siemens InsydeH2O Improper Input Validation (CVE-2021-41842)

An issue was discovered in AtaLegacySmm in the kernel 5.0 before 05.08.46, 5.1 before 05.16.46, 5.2 before 05.26.46, 5.3 before 05.35.46, 5.4 before 05.43.46, and 5.5 before 05.51.45 in Insyde InsydeH2O. Code execution can occur because the SMI handler lacks a CommBuffer check. Insyde BIOS is...

Siemens InsydeH2O Improper Input Validation (CVE-2023-27373)

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. Due to insufficient input validation, an attacker can tamper with a runtime-accessible EFI variable to cause a dynamic BAR setting to overlap SMRAM. Insyde BIOS is typically used in RUGGEDCOM APE products and some SIMATIC...

Siemens InsydeH2O SMM Privilege Escalation (CVE-2021-42060)

An issue was discovered in Insyde InsydeH2O Kernel 5.0 through 05.08.41, Kernel 5.1 through 05.16.41, Kernel 5.2 before 05.23.22, and Kernel 5.3 before 05.32.22. An Int15ServiceSmm SMM callout vulnerability allows an attacker to hijack execution flow of code running in System Management Mode...

Siemens InsydeH2O Arbitrary Code Execution (CVE-2022-36338)

An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5.5. An SMM callout vulnerability in the SMM driver FwBlockServiceSmm, creating SMM, leads to arbitrary code execution. An attacker can replace the pointer to the UEFI boot service GetVariable with a pointer to malware, and then...

Siemens InsydeH2O Out-of-bounds Write (CVE-2021-45970)

An issue was discovered in IdeBusDxe in Insyde InsydeH2O with kernel 5.1 before 05.16.25, 5.2 before 05.26.25, 5.3 before 05.35.25, 5.4 before 05.43.25, and 5.5 before 05.51.25. A vulnerability exists in the SMM System Management Mode branch that registers a SWSMI handler that does not sufficient...