Insyde Software Corporation Information for VU#976132

UEFI implementations do not properly secure the EFI S3 Resume Boot Path boot script

Status

Affected

Vendor Statement

"Insyde has reviewed the Insyde BIOS code and did find some vulnerabilities to some of the items in this report. Insyde used the Native EDK II Lock Box Mechanism for saving the Boot Script in our Insyde H2O 5 codebase thus providing adequate protection. By late 2014 Insyde created a protection mechanism for our Insyde H2O 3.7 codebase to protect the Boot Script. By late 2014 Insyde had protected the AcpiGlobalVariable for both codebases.

    The Variable updates were available in Tags 03.74.42 and 05.04.42 which was the 2014 work week 42 release. The internal tracking number was IB02960681.

    The Insyde H2O 3.7 Boot Script protection mechanism was made available in various chipset Tags.

    OEM and ODM customers are advised to contact their Insyde support representative for documentation and assistance.

    End users are advised to contact the manufacturer of their equipment."

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Vendor References

    None

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.