Overview
The InsydeH2O Hardware-2-Operating System (H2O) UEFI firmware contains multiple vulnerabilities related to memory management in System Management Mode (SMM).
Description
UEFI software provides an extensible interface between an operating system and platform firmware. UEFI software uses a highly privileged processor execution mode called System Management Mode (SMM) for handling system-wide functions like power management, system hardware control, or proprietary OEM-designed code. SMM's privileges, also referred to as "Ring -2," exceed the privileges of the operating system's kernel ("Ring-0"). For this reason, SMM is executed in a protected area of memory called the SMRAM. It is typically accessed via System Management Interrupt (SMI) Handlers using communication buffers, which are also known as "SMM Comm Buffers." The SMM also provides protection against SPI flash modifications and performs boot time verifications similar to those performed by SecureBoot.
UEFI software requires both openness (for hardware drivers, pluggable devices and Driver eXecution Environment (DXE) updates) as well as very tight security controls (for e.g., SMM Comm Buffer Security), making it a complex software that needs a thorough set of security controls that need validation throughout the software's lifecycle. UEFI also supports recent capabilities like Virtual Machine Manager (VMM) for virtualization and the increasing demand of virtual computing resources.
Insyde's H2O UEFI firmware contains several (23) memory management vulnerabilities that were disclosed by Binarly. While these vulnerabilities were discovered in Fujitsu and Bull Atos implementations of Insyde H2O software, the same software is also present in many other vendor implementations due to the complex UEFI supply chain. The vulnerabilities can be classified by the following UEFI vulnerability categories.
| Vulnerability Category | Count |
| SMM Privilege Escalation | 10 |
| SMM Memory Corruption | 12 |
| DXE Memory Corruption | 1 |
Impact
The impacts of these vulnerabilities vary widely due to the nature of SMM capabilities. As an example, a local attacker with administrative privileges (or a remote attacker with administrative privileges) can exploit these vulnerabilities to elevate privileges above the operating system to execute arbitrary code in SMM mode. These attacks can be invoked from the operating system using the unverified or unsafe SMI Handlers, and in some cases these bugs can also be triggered in the UEFI early boot phases ( as well as sleep and recovery like ACPI) before the operating system is initialized.
In summary, a local attacker with administrative privileges (in some cases a remote attacker with administrative privileges) can use malicious software to perform any of the following:
- Invalidate many hardware security features (SecureBoot, Intel BootGuard)
- Install persistent software that cannot be easily erased
- Create backdoors and back communications channels to exfiltrate sensitive data
Solution
Install the latest stable version of firmware provided by your PC vendor or your nearest reseller of your computing environments. See the links below to resources and updates provided by specific vendors.
If your operating system supports automatic or managed updates for firmware, such as Linux Vendor Firmware Service (LVFS), apply the related software security updates. Binarly has also provided a set of UEFI software detection rules called FwHunt rules to assist with identifying vulnerable software. LVFS applies these FwHunt rules to detect and support the fix of firmware updates that are impacted by this advisory.
Acknowledgements
The efiXplorer team of Binarly researched and reported these vulnerabilities to Insyde Software. Insyde Software worked closely with CERT/CC during the coordinated disclosure process for these vulnerabilities.
This document was written by Vijay Sarvepalli.
Vendor Information
796611
Aruba Networks Affected
Notified: 2021-10-18
Updated: 2023-07-17
Statement Date: July 17, 2023
| CVE-2020-27339 | Affected |
| CVE-2020-5953 | Affected |
| CVE-2021-33625 | Affected |
| CVE-2021-33626 | Affected |
| CVE-2021-33627 | Affected |
| CVE-2021-41837 | Affected |
| CVE-2021-41838 | Affected |
| CVE-2021-41839 | Affected |
| CVE-2021-41840 | Affected |
| CVE-2021-41841 | Affected |
| CVE-2021-42059 | Affected |
| CVE-2021-42060 | Not Affected |
| CVE-2021-42113 | Affected |
| CVE-2021-42554 | Affected |
| CVE-2021-43323 | Affected |
| CVE-2021-43522 | Affected |
| CVE-2021-43615 | Not Affected |
| CVE-2021-45969 | Not Affected |
| CVE-2021-45970 | Not Affected |
| CVE-2021-45971 | Not Affected |
| CVE-2022-24030 | Not Affected |
| CVE-2022-24031 | Not Affected |
| CVE-2022-24069 | Not Affected |
| CVE-2022-28806 | Not Affected |
Vendor Statement
Aruba has published information about products affected by these vulnerabilities at https://www.arubanetworks.com/support-services/security-bulletins/ with the specific URLs listed as references.
References
Atos SE Affected
Notified: 2022-02-04
Updated: 2022-02-04
Statement Date: February 04, 2022
| CVE-2020-27339 | Unknown |
| CVE-2020-5953 | Affected |
| CVE-2021-33625 | Affected |
| CVE-2021-33626 | Unknown |
| CVE-2021-33627 | Unknown |
| CVE-2021-41837 | Unknown |
| CVE-2021-41838 | Unknown |
| CVE-2021-41839 | Unknown |
| CVE-2021-41840 | Unknown |
| CVE-2021-41841 | Unknown |
| CVE-2021-42059 | Affected |
| CVE-2021-42060 | Affected |
| CVE-2021-42113 | Affected |
| CVE-2021-42554 | Affected |
| CVE-2021-43323 | Affected |
| CVE-2021-43522 | Affected |
| CVE-2021-43615 | Affected |
| CVE-2021-45969 | Affected |
| CVE-2021-45970 | Affected |
| CVE-2021-45971 | Affected |
| CVE-2022-24030 | Affected |
| CVE-2022-24031 | Affected |
| CVE-2022-24069 | Affected |
| CVE-2022-28806 | Unknown |
Vendor Statement
On February 1st, 2022, CERT-CC, Insyde Inc., and Binarly Inc. collectively disclosed a set of vulnerabilities affecting InsydeH2O Hardware-2-Operating System (H2O) UEFI Bios. These vulnerabilities generalize to all Intel configurations a 2020 vulnerability affecting a version of InsydeH2O that supported a specific Intel chipset (CVE-2020-5953). They affect any product using UEFI Bios based on InsydeH2O, including some BullSequana products. Atos is liaising closely with its suppliers and investigating the exact nature of these vulnerabilities to provide validated remediation.
Fujitsu Affected
Notified: 2021-09-21
Updated: 2022-11-09
Statement Date: June 03, 2022
| CVE-2020-27339 | Not Affected |
| Vendor Statement: | |
| Insyde Security Advisory INSYDE-SA-2021001 (CVE-2020-27339) on InsydeH2O is not part of this 2022/Q2 Insyde Security Advisory (ISA). The Fujitsu PSIRT already addressed the Insyde Security Advisory internally and released dedicated Fujitsu PSIRT Security Notice FCCL-IS-2021-061600. | |
| CVE-2020-5953 | Affected |
| CVE-2021-33625 | Affected |
| CVE-2021-33626 | Affected |
| CVE-2021-33627 | Affected |
| CVE-2021-41837 | Affected |
| CVE-2021-41838 | Affected |
| CVE-2021-41839 | Affected |
| CVE-2021-41840 | Affected |
| CVE-2021-41841 | Affected |
| CVE-2021-42059 | Affected |
| CVE-2021-42060 | Affected |
| CVE-2021-42113 | Affected |
| CVE-2021-42554 | Affected |
| CVE-2021-43323 | Affected |
| CVE-2021-43522 | Affected |
| CVE-2021-43615 | Affected |
| CVE-2021-45969 | Affected |
| CVE-2021-45970 | Not Affected |
| Vendor Statement: | |
| Insyde Security Advisory INSYDE-SA-2022002 (CVE-2021-45970) on InsydeH2O, as part of this 2022/Q2 Insyde Security Advisory (ISA), does not affect any Fujitsu product. | |
| CVE-2021-45971 | Affected |
| CVE-2022-24030 | Affected |
| CVE-2022-24031 | Affected |
| CVE-2022-24069 | Affected |
| CVE-2022-28806 | Affected |
Vendor Statement
Fujitsu is aware of the security vulnerabilities in Insyde firmware (InsydeH2O UEFI-BIOS).
Affected products are Fujitsu CCD (Client Computing Device) mobile devices.
The Fujitsu PSIRT released FCCL-IS-2021-090903 on https://security.ts.fujitsu.com (Security Advisories) accordingly.
In case of questions regarding this Fujitsu PSIRT Security Notice, please contact the Fujitsu PSIRT (Fujitsu-PSIRT@ts.fujitsu.com).
References
Insyde Software Corporation Affected
Notified: 2021-09-17
Updated: 2022-11-09
Statement Date: June 02, 2022
| CVE-2020-27339 | Affected |
| Vendor Statement: | |
| This corresponds to CVE-2020-27339. It affects the driver IdeBusDxe. It was discovered by an external security researcher and entered as an incident on 14 October 2020. It was independently reported by Binarly as BRLY-2021-020 in September 2021. The code that resolved the issue can be found in the following kernel versions: Kernel 5.1: 05.16.25, Kernel 5.2: 05.26.25, Kernel 5.3: 05.35.25, Kernel 5.4: 05.43.25, Kernel 5.5: Unaffected | |
| CVE-2020-5953 | Affected |
| Vendor Statement: | |
| This corresponds to CVE-2020-5953. It affects the driver AsfSecureBootSmm. This issue was discovered by a 3rd party security researcher on a version of InsydeH2O that supported a specific Intel chipset. Insyde engineers subsequently discovered that drivers with the same name on versions of InsydeH2O supporting other Intel chipsets were similarly vulnerable. Prior to disclosure, this issue was independently discovered by the Binarly efiXplorer team. The fixed versions were as follows (using the Intel code name): Intel Kaby Lake - 05.12.09.0074, Intel Cannon Lake - 05.34.03.0029, Intel Coffee Lake - 05.34.03.0029, Intel Whiskey Lake (on Cannon Lake) - 05.34.03.0029, Intel Whiskey Lake - 05.23.45.0023, Intel Whiskey Lake (Server/Embedded) - TBD, Intel Comet Lake - 05.23.04.0045, Intel Comet Lake (Server/Embedded) - 05.34.03.0029, Intel Mehlow - TBD, Intel Greenlow/Greenlow-R - TBD, Intel Ice Lake - 05.33.15.0034, Intel Rocket Lake - Unaffected, Intel Tiger Lake - 05.42.03.0010, Intel Alder Lake - Unaffected | |
| CVE-2021-33625 | Affected |
| Vendor Statement: | |
| This affects the HddPassword driver. It was reported by the Binarly efiXplorer team. Fixes are available in the InsydeH2O kernel: Kernel 5.1: 05.16.23, Kernel 5.2: 05.26.23, Kernel 5.3: 05.35.23, Kernel 5.4: 05.43.22, Kernel 5.5: 05.51.22 | |
| CVE-2021-33626 | Affected |
| Vendor Statement: | |
| This corresponds to CVE-2021-33626. It affects the driver SmmResourceCheckDxe. This issue was discovered by Insyde engineering during an internal security review of several Insyde drivers and entered as a security incident on May 28, 2021. It was independently reported by Binaryly (BRLY-2021-013) in September 2021. It was fixed in the following Insyde kernel versions on June 1, 2021. Kernel 5.1: 05.16.23 Kernel 5.2: 05.26.23 Kernel 5.3: 05.35.23 Kernel 5.4: 05.43.23 Kernel 5.5: 05.51.23 | |
| CVE-2021-33627 | Affected |
| Vendor Statement: | |
| This corresponds fo CVE-2021-33627. It affects the driver FwBlockServiceSmm. This issue was discovered by Insyde engineering during an internal security review and reported on 25 May 2021. It was independently reported by Binarly (BRLY-2021-011) in September 2021. It was fixed in the following Insyde kernel versions. Kernel 5.0: 05.08.29. Kernel 5.1: 05.16.29. Kernel 5.2: 05.26.29. Kernel 5.3: 05.35.29. Kernel 5.4: Unaffected. Kernel 5.5: Unaffected. | |
| CVE-2021-41837 | Affected |
| Vendor Statement: | |
| This corresponds to CVE-2021-41837. It affects the AhciBusDxe driver. This issue was discovered by the Binarly efiXplorer team. The fixed versions of Kernel 5.0: 05.08.41, Kernel 5.1: 05.16.41, Kernel 5.2: 05.26.41, Kernel 5.3: 05.35.41, Kernel 5.4: 05.43.41, Kernel 5.5: 05.51.41 | |
| CVE-2021-41838 | Affected |
| Vendor Statement: | |
| This corresponds to CVE-2021-41838. It affects the driver NvmExpressDxe driver. This issue was discovered by the Binarly efiXplorer team. The fixed versions are Kernel 5.1: 05.16.42, Kernel 5.2: 05.26.42, Kernel 5.3: 05.35.42, Kernel 5.4: 05.43.42, Kernel 5.5: 05.51.42 | |
| CVE-2021-41839 | Affected |
| Vendor Statement: | |
| This corresponds to CVE-2021-41839. It affects the driver NvmExpressDxe. This issue was discovered by Insyde engineering during an internal security review of several Insyde drivers and entered as a security incident on May 28, 2021. It was independently reported by Binarly (BRLY-2021-017) in September 2021. It was fixed in the following Insyde kernel versions on June 18, 2021. Kernel 5.0: Unaffected. Kernel 5.1: 05.16.25 Kernel 5.2: 05.26.25 Kernel 5.3: 05.35.25 Kernel 5.4: 05.43.25 Kernel 5.5: 05.51.25 | |
| CVE-2021-41840 | Affected |
| Vendor Statement: | |
| This corresponds to CVE-2021-41840. It affects the driver SdHostDriver. This issue was discovered internally by during an Insyde code review but was not classified as a security incident until September 17, 2021. It was independently reported by Binarly (BRLY-2021-019) in September 2021. The code that fixed the issue can be found in the following Insyde kernel versions, starting on August 28, 2020. Kernel 5.0: not present. Kernel 5.1: not present. Kernel 5.2: 05.23.35 Kernel 5.3: 05.32.35 Kernel 5.4: 05.40.35 Kernel 5.5: not present. | |
| CVE-2021-41841 | Affected |
| Vendor Statement: | |
| This corresponds to CVE-2021-41841. It affects the driver AhciBusDxe. This issue was discovered by a 3rd party security researcher and entered as a security incident on May 26, 2021. It was independently reported by Binarly (BRLY-2021-018) in September 2021. It was fixed in the following Insyde kernel versions on July 26, 2021. Kernel 5.0: 05.08.29 Kernel 5.1: 05.16.29 Kernel 5.2: 05.26.29 Kernel 5.3: 05.35.29 Kernel 5.4: 05.43.29 Kernel 5.5: 05.51.29 | |
| CVE-2021-42059 | Affected |
| Vendor Statement: | |
| This affects the DisplayTypeDxe driver. It was reported by the Binarly efiXplorer team. It was fixed in the InsydeH2O kernel: Kernel 5.0 05.08.41, Kernel 5.1: 05.16.41, Kernel 5.2: 05.26.41, Kernel 5.3: 05.35.41, Kernel 5.4: 05.42.20, Kernel 5.5: unaffected. | |
| CVE-2021-42060 | Affected |
| Vendor Statement: | |
| This affects the Int15ServiceSmm driver. It was reported by the Binarly efiXplorer team. It was fixed in InsydeH2O versions kernel 5.0: 05.08.49, kernel 5.1: 05.16.49, kernel 5.2: 05.23.22, Kernel 5.3: 05.32.22, Kernel 5.4: unaffected, kernel 5.5: unaffected. | |
| CVE-2021-42113 | Affected |
| Vendor Statement: | |
| This corresponds to CVE-2021-42113. It affects the StorageSecurityCommandDxe driver. It was discovered by the Binarly efiXplorer team. It is fixed in the InsydeH2O kernel: Kernel 5.1: 05.14.34, Kernel 5.2: 05.24.34, Kernel 5.3: 05.33.34, Kernel 5.4: unaffected. Kernel 5.5: unaffected. | |
| CVE-2021-42554 | Affected |
| Vendor Statement: | |
| This affects the FvbServicesRuntimeDxe driver. It was reported by the Binarly efiXplorer team. It is fixed in the following InsydeH2O kernel versions: Kernel 5.0: 05.08.42, Kernel 5.1: 05.16.42, Kernel 5.2: 05.26.42, Kernel 5.3: 05.35.42, Kernel 5.4: 05.42.51, Kernel 5.5: 05.50.51 | |
| CVE-2021-43323 | Affected |
| Vendor Statement: | |
| This affects the UsbCoreDxe driver. It was reported by the Binarly efiXplorer team. The fixes are available for the Insyde kernel: Kernel 5.0: 05.08.45, Kernel 5.1: 05.16.45, Kernel 5.2: 05.26.45, Kernel 5.3: 05.35.45, Kernel 5.4: 05.43.45, Kernel 5.5: 05.51.45. | |
| CVE-2021-43522 | Affected |
| CVE-2021-43615 | Affected |
| Vendor Statement: | |
| This affects the HddPassword driver. It was reported by the Binarly efiXplorer team. It was fixed in the InsydeH2O kernel: Kernel 5.1: 05.16.23, Kernel 5.2: 05.23.22, Kernel 5.3: 05.32.22, Kernel 5.4: Unaffected, Kernel 5.5: Unaffected | |
| CVE-2021-45969 | Affected |
| Vendor Statement: | |
| This corresponds to CVE-2021-45969. It affects the driver AhciBusDxe. This issue was discovered by Insyde engineering during an internal security review of several Insyde drivers and entered as a security incident on May 28, 2021. It was independently reported by Binaryly (BRLY-2021-016) in September 2021. It was fixed in the following Insyde kernel versions on June 18, 2021. It was fixed in the following versions: Kernel 5.1: 05.16.25 Kernel 5.2: 05.26.25 Kernel 5.3: 05.35.25 Kernel 5.4: 05.43.25 Kernel 5.5: 05.51.25. This issue was previously reported incorrectly as part of CVE-2020-27339. | |
| CVE-2021-45970 | Affected |
| Vendor Statement: | |
| This corresponds to CVE-2021-45970. It affects the driver IdeBusDxe. This issue was discovered by Insyde engineering during an internal security review of several Insyde drivers and entered as a security incident on May 28, 2021. It was independently reported by Binarly (BRLY-2021-015) in September 2021. It was fixed in the following Insyde kernel versions on June 18, 2021. It was fixed in the following Insyde kernel versions: Kernel 5.1: 05.16.25 Kernel 5.2: 05.26.25 Kernel 5.3: 05.35.25 Kernel 5.4: 05.43.25 Kernel 5.5: 05.51.25. This issue was previously reported incorrectly as part of CVE-2020-27339. | |
| CVE-2021-45971 | Affected |
| Vendor Statement: | |
| This corresponds to CVE-2021-45971. It affects the driver SdHostDriver. This issue was discovered by Insyde engineering during an internal security review of several Insyde drivers and entered as a security incident on May 28, 2021. It was independently reported by Binarly (BRLY-2021-012) in September 2021 It was fixed in the following Insyde kernel versions on June 18, 2021. Kernel 5.1: 05.16.25 Kernel 5.2: 05.26.25 Kernel 5.3: 05.35.25 Kernel 5.4: 05.43.25 Kernel 5.5: 05.51.25. It was previously reported incorrectly as part of CVE-2020-27339. | |
| CVE-2022-24030 | Affected |
| Vendor Statement: | |
| This affects the AhciBusDxe driver. This issue was discovered by the Binarly efiXplorer team. The fixed versions of Kernel 5.0: 05.08.41, Kernel 5.1: 05.16.41, Kernel 5.2: 05.26.41, Kernel 5.3: 05.35.41, Kernel 5.4: 05.43.41, Kernel 5.5: 05.51.41 | |
| CVE-2022-24031 | Affected |
| Vendor Statement: | |
| This affects the NvmExpressDxe driver. This issue was discovered by the Binarly efiXplorer team. The fixed versions are Kernel 5.1: 05.16.42, Kernel 5.2: 05.26.42, Kernel 5.3: 05.35.42, Kernel 5.4: 05.43.42, Kernel 5.5: 05.51.42 | |
| CVE-2022-24069 | Affected |
| Vendor Statement: | |
| This issue corresponds to CVE-2022-24069. It affects the driver AhciBusDxe. This issue was discovered by the Binarly efiXplorer team. It was fixed in the following Insyde kernel versions on July 26, 2021. Kernel 5.0: 05.08.29 Kernel 5.1: 05.16.29 Kernel 5.2: 05.26.29 Kernel 5.3: 05.35.29 Kernel 5.4: 05.43.29 Kernel 5.5: 05.51.29 | |
| CVE-2022-28806 | Not Affected |
Vendor Statement
These issues affect a broad range of Insyde's InsydeH2O products. They are not chipset specific, but they are specific to kernel versions, which are listed with each statement. We have disclosed these to all affected customers.
AMD Not Affected
Notified: 2022-01-26
Updated: 2022-04-26
Statement Date: March 28, 2022
| CVE-2020-27339 | Not Affected |
| CVE-2020-5953 | Not Affected |
| CVE-2021-33625 | Not Affected |
| CVE-2021-33626 | Not Affected |
| CVE-2021-33627 | Not Affected |
| CVE-2021-41837 | Not Affected |
| CVE-2021-41838 | Not Affected |
| CVE-2021-41839 | Not Affected |
| CVE-2021-41840 | Not Affected |
| CVE-2021-41841 | Not Affected |
| CVE-2021-42059 | Not Affected |
| CVE-2021-42060 | Not Affected |
| CVE-2021-42113 | Not Affected |
| CVE-2021-42554 | Not Affected |
| CVE-2021-43323 | Not Affected |
| CVE-2021-43522 | Not Affected |
| CVE-2021-43615 | Not Affected |
| CVE-2021-45969 | Not Affected |
| CVE-2021-45970 | Not Affected |
| CVE-2021-45971 | Not Affected |
| CVE-2022-24030 | Not Affected |
| CVE-2022-24031 | Not Affected |
| CVE-2022-24069 | Not Affected |
| CVE-2022-28806 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
American Megatrends Incorporated (AMI) Not Affected
Notified: 2022-01-18
Updated: 2022-04-26
Statement Date: February 10, 2022
| CVE-2020-27339 | Not Affected |
| CVE-2020-5953 | Not Affected |
| CVE-2021-33625 | Not Affected |
| CVE-2021-33626 | Not Affected |
| CVE-2021-33627 | Not Affected |
| CVE-2021-41837 | Not Affected |
| CVE-2021-41838 | Not Affected |
| CVE-2021-41839 | Not Affected |
| CVE-2021-41840 | Not Affected |
| CVE-2021-41841 | Not Affected |
| CVE-2021-42059 | Not Affected |
| CVE-2021-42060 | Not Affected |
| CVE-2021-42113 | Not Affected |
| CVE-2021-42554 | Not Affected |
| CVE-2021-43323 | Not Affected |
| CVE-2021-43522 | Not Affected |
| CVE-2021-43615 | Not Affected |
| CVE-2021-45969 | Not Affected |
| CVE-2021-45970 | Not Affected |
| CVE-2021-45971 | Not Affected |
| CVE-2022-24030 | Not Affected |
| CVE-2022-24031 | Not Affected |
| CVE-2022-24069 | Not Affected |
| CVE-2022-28806 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
Hewlett Packard Enterprise Not Affected
Notified: 2021-10-05
Updated: 2022-04-26
Statement Date: March 02, 2022
| CVE-2020-27339 | Not Affected |
| CVE-2020-5953 | Not Affected |
| CVE-2021-33625 | Not Affected |
| CVE-2021-33626 | Not Affected |
| CVE-2021-33627 | Not Affected |
| CVE-2021-41837 | Not Affected |
| CVE-2021-41838 | Not Affected |
| CVE-2021-41839 | Not Affected |
| CVE-2021-41840 | Not Affected |
| CVE-2021-41841 | Not Affected |
| CVE-2021-42059 | Not Affected |
| CVE-2021-42060 | Not Affected |
| CVE-2021-42113 | Not Affected |
| CVE-2021-42554 | Not Affected |
| CVE-2021-43323 | Not Affected |
| CVE-2021-43522 | Not Affected |
| CVE-2021-43615 | Not Affected |
| CVE-2021-45969 | Not Affected |
| CVE-2021-45970 | Not Affected |
| CVE-2021-45971 | Not Affected |
| CVE-2022-24030 | Not Affected |
| CVE-2022-24031 | Not Affected |
| CVE-2022-24069 | Not Affected |
| CVE-2022-28806 | Not Affected |
Vendor Statement
HPE has evaluated the integration of the InsydeH20 UEFI BIOS in HPE products. Most HPE products do not integrate, include, or use the InsydeH20 UEFI BIOS and are therefore not affected by these vulnerabilities. A small number of HPE products do include the InsydeH20 UEFI BIOS, but are not affected by these vulnerabilities due to the way the InsydeH20 UEFI BIOS is implemented. Some HPE Aruba products use the InsydeH20 UEFI BIOS and they are affected by some of these vulnerabilities.
DETAILS For more information about the HPE Aruba products affected by the InsydeH20 UEFI BIOS vulnerabilities, see the following Aruba Product Security Advisories:
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-001.txt Non-HPE site
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-002.txt Non-HPE site
Intel Not Affected
Notified: 2021-10-05
Updated: 2022-04-26
Statement Date: February 04, 2022
| CVE-2020-27339 | Not Affected |
| CVE-2020-5953 | Not Affected |
| CVE-2021-33625 | Not Affected |
| CVE-2021-33626 | Not Affected |
| CVE-2021-33627 | Not Affected |
| CVE-2021-41837 | Not Affected |
| CVE-2021-41838 | Not Affected |
| CVE-2021-41839 | Not Affected |
| CVE-2021-41840 | Not Affected |
| CVE-2021-41841 | Not Affected |
| CVE-2021-42059 | Not Affected |
| CVE-2021-42060 | Not Affected |
| CVE-2021-42113 | Not Affected |
| CVE-2021-42554 | Not Affected |
| CVE-2021-43323 | Not Affected |
| CVE-2021-43522 | Not Affected |
| CVE-2021-43615 | Not Affected |
| CVE-2021-45969 | Not Affected |
| CVE-2021-45970 | Not Affected |
| CVE-2021-45971 | Not Affected |
| CVE-2022-24030 | Not Affected |
| CVE-2022-24031 | Not Affected |
| CVE-2022-24069 | Not Affected |
| CVE-2022-28806 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
NetApp Not Affected
Notified: 2022-02-25
Updated: 2022-02-25
Statement Date: February 24, 2022
| CVE-2020-27339 | Not Affected |
| CVE-2020-5953 | Unknown |
| CVE-2021-33625 | Unknown |
| CVE-2021-33626 | Unknown |
| CVE-2021-33627 | Unknown |
| CVE-2021-41837 | Unknown |
| CVE-2021-41838 | Unknown |
| CVE-2021-41839 | Unknown |
| CVE-2021-41840 | Not Affected |
| CVE-2021-41841 | Unknown |
| CVE-2021-42059 | Not Affected |
| CVE-2021-42060 | Unknown |
| CVE-2021-42113 | Not Affected |
| CVE-2021-42554 | Unknown |
| CVE-2021-43323 | Unknown |
| CVE-2021-43522 | Not Affected |
| CVE-2021-43615 | Not Affected |
| CVE-2021-45969 | Unknown |
| CVE-2021-45970 | Unknown |
| CVE-2021-45971 | Unknown |
| CVE-2022-24030 | Unknown |
| CVE-2022-24031 | Unknown |
| CVE-2022-24069 | Unknown |
| CVE-2022-28806 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
References
- https://security.netapp.com/advisory/ntap-20220217-0014/
- https://security.netapp.com/advisory/ntap-20220216-0004/
- https://security.netapp.com/advisory/ntap-20220217-0014/
CERT Addendum
NetApp is still investigating some vulnerabilities disclosed. Visit NetApp Advisory page for details. https://security.netapp.com/advisory/
Phoenix Technologies Not Affected
Notified: 2022-03-24
Updated: 2022-04-26
Statement Date: March 24, 2022
| CVE-2020-27339 | Not Affected |
| CVE-2020-5953 | Not Affected |
| CVE-2021-33625 | Not Affected |
| CVE-2021-33626 | Not Affected |
| CVE-2021-33627 | Not Affected |
| CVE-2021-41837 | Not Affected |
| CVE-2021-41838 | Not Affected |
| CVE-2021-41839 | Not Affected |
| CVE-2021-41840 | Not Affected |
| CVE-2021-41841 | Not Affected |
| CVE-2021-42059 | Not Affected |
| CVE-2021-42060 | Not Affected |
| CVE-2021-42113 | Not Affected |
| CVE-2021-42554 | Not Affected |
| CVE-2021-43323 | Not Affected |
| CVE-2021-43522 | Not Affected |
| CVE-2021-43615 | Not Affected |
| CVE-2021-45969 | Not Affected |
| CVE-2021-45970 | Not Affected |
| CVE-2021-45971 | Not Affected |
| CVE-2022-24030 | Not Affected |
| CVE-2022-24031 | Not Affected |
| CVE-2022-24069 | Not Affected |
| CVE-2022-28806 | Not Affected |
Vendor Statement
Our review indicates that our firmware code is Not Affected by these vulnerabilities.
Rockwell Automation Not Affected
Notified: 2022-01-26
Updated: 2022-04-26
Statement Date: January 28, 2022
| CVE-2020-27339 | Not Affected |
| CVE-2020-5953 | Not Affected |
| CVE-2021-33625 | Not Affected |
| CVE-2021-33626 | Not Affected |
| CVE-2021-33627 | Not Affected |
| CVE-2021-41837 | Not Affected |
| CVE-2021-41838 | Not Affected |
| CVE-2021-41839 | Not Affected |
| CVE-2021-41840 | Not Affected |
| CVE-2021-41841 | Not Affected |
| CVE-2021-42059 | Not Affected |
| CVE-2021-42060 | Not Affected |
| CVE-2021-42113 | Not Affected |
| CVE-2021-42554 | Not Affected |
| CVE-2021-43323 | Not Affected |
| CVE-2021-43522 | Not Affected |
| CVE-2021-43615 | Not Affected |
| CVE-2021-45969 | Not Affected |
| CVE-2021-45970 | Not Affected |
| CVE-2021-45971 | Not Affected |
| CVE-2022-24030 | Not Affected |
| CVE-2022-24031 | Not Affected |
| CVE-2022-24069 | Not Affected |
| CVE-2022-28806 | Not Affected |
Vendor Statement
Not affected
References
- Not affected
Supermicro Not Affected
Notified: 2022-01-26
Updated: 2022-04-26
Statement Date: January 28, 2022
| CVE-2020-27339 | Not Affected |
| CVE-2020-5953 | Not Affected |
| CVE-2021-33625 | Not Affected |
| CVE-2021-33626 | Not Affected |
| CVE-2021-33627 | Not Affected |
| CVE-2021-41837 | Not Affected |
| CVE-2021-41838 | Not Affected |
| CVE-2021-41839 | Not Affected |
| CVE-2021-41840 | Not Affected |
| CVE-2021-41841 | Not Affected |
| CVE-2021-42059 | Not Affected |
| CVE-2021-42060 | Not Affected |
| CVE-2021-42113 | Not Affected |
| CVE-2021-42554 | Not Affected |
| CVE-2021-43323 | Not Affected |
| CVE-2021-43522 | Not Affected |
| CVE-2021-43615 | Not Affected |
| CVE-2021-45969 | Not Affected |
| CVE-2021-45970 | Not Affected |
| CVE-2021-45971 | Not Affected |
| CVE-2022-24030 | Not Affected |
| CVE-2022-24031 | Not Affected |
| CVE-2022-24069 | Not Affected |
| CVE-2022-28806 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
Toshiba Corporation Not Affected
Notified: 2021-10-05
Updated: 2022-02-01
Statement Date: October 06, 2021
| CVE-2020-27339 | Not Affected |
| CVE-2020-5953 | Not Affected |
| CVE-2021-33625 | Not Affected |
| CVE-2021-33626 | Not Affected |
| CVE-2021-33627 | Not Affected |
| CVE-2021-41837 | Not Affected |
| CVE-2021-41838 | Not Affected |
| CVE-2021-41839 | Not Affected |
| CVE-2021-41840 | Not Affected |
| CVE-2021-41841 | Not Affected |
| CVE-2021-42059 | Not Affected |
| CVE-2021-42060 | Not Affected |
| CVE-2021-42113 | Not Affected |
| CVE-2021-42554 | Not Affected |
| CVE-2021-43323 | Not Affected |
| CVE-2021-43522 | Not Affected |
| CVE-2021-43615 | Not Affected |
| CVE-2021-45969 | Not Affected |
| CVE-2021-45970 | Not Affected |
| CVE-2021-45971 | Not Affected |
| CVE-2022-24030 | Not Affected |
| CVE-2022-24031 | Not Affected |
| CVE-2022-24069 | Not Affected |
| CVE-2022-28806 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
Acer Unknown
Notified: 2022-01-26
Updated: 2022-02-01
| CVE-2020-27339 | Unknown |
| CVE-2020-5953 | Unknown |
| CVE-2021-33625 | Unknown |
| CVE-2021-33626 | Unknown |
| CVE-2021-33627 | Unknown |
| CVE-2021-41837 | Unknown |
| CVE-2021-41838 | Unknown |
| CVE-2021-41839 | Unknown |
| CVE-2021-41840 | Unknown |
| CVE-2021-41841 | Unknown |
| CVE-2021-42059 | Unknown |
| CVE-2021-42060 | Unknown |
| CVE-2021-42113 | Unknown |
| CVE-2021-42554 | Unknown |
| CVE-2021-43323 | Unknown |
| CVE-2021-43522 | Unknown |
| CVE-2021-43615 | Unknown |
| CVE-2021-45969 | Unknown |
| CVE-2021-45970 | Unknown |
| CVE-2021-45971 | Unknown |
| CVE-2022-24030 | Unknown |
| CVE-2022-24031 | Unknown |
| CVE-2022-24069 | Unknown |
| CVE-2022-28806 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
ASUSTeK Computer Inc. Unknown
Notified: 2021-10-05
Updated: 2022-02-01
| CVE-2020-27339 | Unknown |
| CVE-2020-5953 | Unknown |
| CVE-2021-33625 | Unknown |
| CVE-2021-33626 | Unknown |
| CVE-2021-33627 | Unknown |
| CVE-2021-41837 | Unknown |
| CVE-2021-41838 | Unknown |
| CVE-2021-41839 | Unknown |
| CVE-2021-41840 | Unknown |
| CVE-2021-41841 | Unknown |
| CVE-2021-42059 | Unknown |
| CVE-2021-42060 | Unknown |
| CVE-2021-42113 | Unknown |
| CVE-2021-42554 | Unknown |
| CVE-2021-43323 | Unknown |
| CVE-2021-43522 | Unknown |
| CVE-2021-43615 | Unknown |
| CVE-2021-45969 | Unknown |
| CVE-2021-45970 | Unknown |
| CVE-2021-45971 | Unknown |
| CVE-2022-24030 | Unknown |
| CVE-2022-24031 | Unknown |
| CVE-2022-24069 | Unknown |
| CVE-2022-28806 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Dell Unknown
Notified: 2021-10-05
Updated: 2022-02-01
| CVE-2020-27339 | Unknown |
| CVE-2020-5953 | Unknown |
| CVE-2021-33625 | Unknown |
| CVE-2021-33626 | Unknown |
| CVE-2021-33627 | Unknown |
| CVE-2021-41837 | Unknown |
| CVE-2021-41838 | Unknown |
| CVE-2021-41839 | Unknown |
| CVE-2021-41840 | Unknown |
| CVE-2021-41841 | Unknown |
| CVE-2021-42059 | Unknown |
| CVE-2021-42060 | Unknown |
| CVE-2021-42113 | Unknown |
| CVE-2021-42554 | Unknown |
| CVE-2021-43323 | Unknown |
| CVE-2021-43522 | Unknown |
| CVE-2021-43615 | Unknown |
| CVE-2021-45969 | Unknown |
| CVE-2021-45970 | Unknown |
| CVE-2021-45971 | Unknown |
| CVE-2022-24030 | Unknown |
| CVE-2022-24031 | Unknown |
| CVE-2022-24069 | Unknown |
| CVE-2022-28806 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Dynabook Inc. Unknown
Notified: 2021-10-06
Updated: 2022-02-01
| CVE-2020-27339 | Unknown |
| CVE-2020-5953 | Unknown |
| CVE-2021-33625 | Unknown |
| CVE-2021-33626 | Unknown |
| CVE-2021-33627 | Unknown |
| CVE-2021-41837 | Unknown |
| CVE-2021-41838 | Unknown |
| CVE-2021-41839 | Unknown |
| CVE-2021-41840 | Unknown |
| CVE-2021-41841 | Unknown |
| CVE-2021-42059 | Unknown |
| CVE-2021-42060 | Unknown |
| CVE-2021-42113 | Unknown |
| CVE-2021-42554 | Unknown |
| CVE-2021-43323 | Unknown |
| CVE-2021-43522 | Unknown |
| CVE-2021-43615 | Unknown |
| CVE-2021-45969 | Unknown |
| CVE-2021-45970 | Unknown |
| CVE-2021-45971 | Unknown |
| CVE-2022-24030 | Unknown |
| CVE-2022-24031 | Unknown |
| CVE-2022-24069 | Unknown |
| CVE-2022-28806 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Gamma Tech Computer Corp. Unknown
Notified: 2022-01-26
Updated: 2022-02-01
| CVE-2020-27339 | Unknown |
| CVE-2020-5953 | Unknown |
| CVE-2021-33625 | Unknown |
| CVE-2021-33626 | Unknown |
| CVE-2021-33627 | Unknown |
| CVE-2021-41837 | Unknown |
| CVE-2021-41838 | Unknown |
| CVE-2021-41839 | Unknown |
| CVE-2021-41840 | Unknown |
| CVE-2021-41841 | Unknown |
| CVE-2021-42059 | Unknown |
| CVE-2021-42060 | Unknown |
| CVE-2021-42113 | Unknown |
| CVE-2021-42554 | Unknown |
| CVE-2021-43323 | Unknown |
| CVE-2021-43522 | Unknown |
| CVE-2021-43615 | Unknown |
| CVE-2021-45969 | Unknown |
| CVE-2021-45970 | Unknown |
| CVE-2021-45971 | Unknown |
| CVE-2022-24030 | Unknown |
| CVE-2022-24031 | Unknown |
| CVE-2022-24069 | Unknown |
| CVE-2022-28806 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
GETAC Inc. Unknown
Notified: 2022-01-26
Updated: 2022-02-01
| CVE-2020-27339 | Unknown |
| CVE-2020-5953 | Unknown |
| CVE-2021-33625 | Unknown |
| CVE-2021-33626 | Unknown |
| CVE-2021-33627 | Unknown |
| CVE-2021-41837 | Unknown |
| CVE-2021-41838 | Unknown |
| CVE-2021-41839 | Unknown |
| CVE-2021-41840 | Unknown |
| CVE-2021-41841 | Unknown |
| CVE-2021-42059 | Unknown |
| CVE-2021-42060 | Unknown |
| CVE-2021-42113 | Unknown |
| CVE-2021-42554 | Unknown |
| CVE-2021-43323 | Unknown |
| CVE-2021-43522 | Unknown |
| CVE-2021-43615 | Unknown |
| CVE-2021-45969 | Unknown |
| CVE-2021-45970 | Unknown |
| CVE-2021-45971 | Unknown |
| CVE-2022-24030 | Unknown |
| CVE-2022-24031 | Unknown |
| CVE-2022-24069 | Unknown |
| CVE-2022-28806 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
HP Inc. Unknown
Notified: 2021-10-05
Updated: 2022-02-01
| CVE-2020-27339 | Unknown |
| CVE-2020-5953 | Unknown |
| CVE-2021-33625 | Unknown |
| CVE-2021-33626 | Unknown |
| CVE-2021-33627 | Unknown |
| CVE-2021-41837 | Unknown |
| CVE-2021-41838 | Unknown |
| CVE-2021-41839 | Unknown |
| CVE-2021-41840 | Unknown |
| CVE-2021-41841 | Unknown |
| CVE-2021-42059 | Unknown |
| CVE-2021-42060 | Unknown |
| CVE-2021-42113 | Unknown |
| CVE-2021-42554 | Unknown |
| CVE-2021-43323 | Unknown |
| CVE-2021-43522 | Unknown |
| CVE-2021-43615 | Unknown |
| CVE-2021-45969 | Unknown |
| CVE-2021-45970 | Unknown |
| CVE-2021-45971 | Unknown |
| CVE-2022-24030 | Unknown |
| CVE-2022-24031 | Unknown |
| CVE-2022-24069 | Unknown |
| CVE-2022-28806 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Juniper Networks Unknown
Notified: 2022-01-26
Updated: 2022-02-01
| CVE-2020-27339 | Unknown |
| CVE-2020-5953 | Unknown |
| CVE-2021-33625 | Unknown |
| CVE-2021-33626 | Unknown |
| CVE-2021-33627 | Unknown |
| CVE-2021-41837 | Unknown |
| CVE-2021-41838 | Unknown |
| CVE-2021-41839 | Unknown |
| CVE-2021-41840 | Unknown |
| CVE-2021-41841 | Unknown |
| CVE-2021-42059 | Unknown |
| CVE-2021-42060 | Unknown |
| CVE-2021-42113 | Unknown |
| CVE-2021-42554 | Unknown |
| CVE-2021-43323 | Unknown |
| CVE-2021-43522 | Unknown |
| CVE-2021-43615 | Unknown |
| CVE-2021-45969 | Unknown |
| CVE-2021-45970 | Unknown |
| CVE-2021-45971 | Unknown |
| CVE-2022-24030 | Unknown |
| CVE-2022-24031 | Unknown |
| CVE-2022-24069 | Unknown |
| CVE-2022-28806 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Lenovo Unknown
Notified: 2021-10-05
Updated: 2022-02-01
| CVE-2020-27339 | Unknown |
| CVE-2020-5953 | Unknown |
| CVE-2021-33625 | Unknown |
| CVE-2021-33626 | Unknown |
| CVE-2021-33627 | Unknown |
| CVE-2021-41837 | Unknown |
| CVE-2021-41838 | Unknown |
| CVE-2021-41839 | Unknown |
| CVE-2021-41840 | Unknown |
| CVE-2021-41841 | Unknown |
| CVE-2021-42059 | Unknown |
| CVE-2021-42060 | Unknown |
| CVE-2021-42113 | Unknown |
| CVE-2021-42554 | Unknown |
| CVE-2021-43323 | Unknown |
| CVE-2021-43522 | Unknown |
| CVE-2021-43615 | Unknown |
| CVE-2021-45969 | Unknown |
| CVE-2021-45970 | Unknown |
| CVE-2021-45971 | Unknown |
| CVE-2022-24030 | Unknown |
| CVE-2022-24031 | Unknown |
| CVE-2022-24069 | Unknown |
| CVE-2022-28806 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Microsoft Unknown
Notified: 2021-10-05
Updated: 2022-02-01
| CVE-2020-27339 | Unknown |
| CVE-2020-5953 | Unknown |
| CVE-2021-33625 | Unknown |
| CVE-2021-33626 | Unknown |
| CVE-2021-33627 | Unknown |
| CVE-2021-41837 | Unknown |
| CVE-2021-41838 | Unknown |
| CVE-2021-41839 | Unknown |
| CVE-2021-41840 | Unknown |
| CVE-2021-41841 | Unknown |
| CVE-2021-42059 | Unknown |
| CVE-2021-42060 | Unknown |
| CVE-2021-42113 | Unknown |
| CVE-2021-42554 | Unknown |
| CVE-2021-43323 | Unknown |
| CVE-2021-43522 | Unknown |
| CVE-2021-43615 | Unknown |
| CVE-2021-45969 | Unknown |
| CVE-2021-45970 | Unknown |
| CVE-2021-45971 | Unknown |
| CVE-2022-24030 | Unknown |
| CVE-2022-24031 | Unknown |
| CVE-2022-24069 | Unknown |
| CVE-2022-28806 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Microsoft Vulnerability Research Unknown
Notified: 2021-10-06
Updated: 2022-02-01
| CVE-2020-27339 | Unknown |
| CVE-2020-5953 | Unknown |
| CVE-2021-33625 | Unknown |
| CVE-2021-33626 | Unknown |
| CVE-2021-33627 | Unknown |
| CVE-2021-41837 | Unknown |
| CVE-2021-41838 | Unknown |
| CVE-2021-41839 | Unknown |
| CVE-2021-41840 | Unknown |
| CVE-2021-41841 | Unknown |
| CVE-2021-42059 | Unknown |
| CVE-2021-42060 | Unknown |
| CVE-2021-42113 | Unknown |
| CVE-2021-42554 | Unknown |
| CVE-2021-43323 | Unknown |
| CVE-2021-43522 | Unknown |
| CVE-2021-43615 | Unknown |
| CVE-2021-45969 | Unknown |
| CVE-2021-45970 | Unknown |
| CVE-2021-45971 | Unknown |
| CVE-2022-24030 | Unknown |
| CVE-2022-24031 | Unknown |
| CVE-2022-24069 | Unknown |
| CVE-2022-28806 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
ReactOS Unknown
Notified: 2022-01-26
Updated: 2022-02-01
| CVE-2020-27339 | Unknown |
| CVE-2020-5953 | Unknown |
| CVE-2021-33625 | Unknown |
| CVE-2021-33626 | Unknown |
| CVE-2021-33627 | Unknown |
| CVE-2021-41837 | Unknown |
| CVE-2021-41838 | Unknown |
| CVE-2021-41839 | Unknown |
| CVE-2021-41840 | Unknown |
| CVE-2021-41841 | Unknown |
| CVE-2021-42059 | Unknown |
| CVE-2021-42060 | Unknown |
| CVE-2021-42113 | Unknown |
| CVE-2021-42554 | Unknown |
| CVE-2021-43323 | Unknown |
| CVE-2021-43522 | Unknown |
| CVE-2021-43615 | Unknown |
| CVE-2021-45969 | Unknown |
| CVE-2021-45970 | Unknown |
| CVE-2021-45971 | Unknown |
| CVE-2022-24030 | Unknown |
| CVE-2022-24031 | Unknown |
| CVE-2022-24069 | Unknown |
| CVE-2022-28806 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Siemens Unknown
Notified: 2022-01-26
Updated: 2022-02-01
| CVE-2020-27339 | Unknown |
| CVE-2020-5953 | Unknown |
| CVE-2021-33625 | Unknown |
| CVE-2021-33626 | Unknown |
| CVE-2021-33627 | Unknown |
| CVE-2021-41837 | Unknown |
| CVE-2021-41838 | Unknown |
| CVE-2021-41839 | Unknown |
| CVE-2021-41840 | Unknown |
| CVE-2021-41841 | Unknown |
| CVE-2021-42059 | Unknown |
| CVE-2021-42060 | Unknown |
| CVE-2021-42113 | Unknown |
| CVE-2021-42554 | Unknown |
| CVE-2021-43323 | Unknown |
| CVE-2021-43522 | Unknown |
| CVE-2021-43615 | Unknown |
| CVE-2021-45969 | Unknown |
| CVE-2021-45970 | Unknown |
| CVE-2021-45971 | Unknown |
| CVE-2022-24030 | Unknown |
| CVE-2022-24031 | Unknown |
| CVE-2022-24069 | Unknown |
| CVE-2022-28806 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Siemens Nixdorf AG Unknown
Updated: 2022-02-01
| CVE-2020-27339 | Unknown |
| CVE-2020-5953 | Unknown |
| CVE-2021-33625 | Unknown |
| CVE-2021-33626 | Unknown |
| CVE-2021-33627 | Unknown |
| CVE-2021-41837 | Unknown |
| CVE-2021-41838 | Unknown |
| CVE-2021-41839 | Unknown |
| CVE-2021-41840 | Unknown |
| CVE-2021-41841 | Unknown |
| CVE-2021-42059 | Unknown |
| CVE-2021-42060 | Unknown |
| CVE-2021-42113 | Unknown |
| CVE-2021-42554 | Unknown |
| CVE-2021-43323 | Unknown |
| CVE-2021-43522 | Unknown |
| CVE-2021-43615 | Unknown |
| CVE-2021-45969 | Unknown |
| CVE-2021-45970 | Unknown |
| CVE-2021-45971 | Unknown |
| CVE-2022-24030 | Unknown |
| CVE-2022-24031 | Unknown |
| CVE-2022-24069 | Unknown |
| CVE-2022-28806 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
VAIO Corporation Unknown
Notified: 2022-01-26
Updated: 2022-02-01
| CVE-2020-27339 | Unknown |
| CVE-2020-5953 | Unknown |
| CVE-2021-33625 | Unknown |
| CVE-2021-33626 | Unknown |
| CVE-2021-33627 | Unknown |
| CVE-2021-41837 | Unknown |
| CVE-2021-41838 | Unknown |
| CVE-2021-41839 | Unknown |
| CVE-2021-41840 | Unknown |
| CVE-2021-41841 | Unknown |
| CVE-2021-42059 | Unknown |
| CVE-2021-42060 | Unknown |
| CVE-2021-42113 | Unknown |
| CVE-2021-42554 | Unknown |
| CVE-2021-43323 | Unknown |
| CVE-2021-43522 | Unknown |
| CVE-2021-43615 | Unknown |
| CVE-2021-45969 | Unknown |
| CVE-2021-45970 | Unknown |
| CVE-2021-45971 | Unknown |
| CVE-2022-24030 | Unknown |
| CVE-2022-24031 | Unknown |
| CVE-2022-24069 | Unknown |
| CVE-2022-28806 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Xerox Unknown
Notified: 2022-01-26
Updated: 2022-02-01
| CVE-2020-27339 | Unknown |
| CVE-2020-5953 | Unknown |
| CVE-2021-33625 | Unknown |
| CVE-2021-33626 | Unknown |
| CVE-2021-33627 | Unknown |
| CVE-2021-41837 | Unknown |
| CVE-2021-41838 | Unknown |
| CVE-2021-41839 | Unknown |
| CVE-2021-41840 | Unknown |
| CVE-2021-41841 | Unknown |
| CVE-2021-42059 | Unknown |
| CVE-2021-42060 | Unknown |
| CVE-2021-42113 | Unknown |
| CVE-2021-42554 | Unknown |
| CVE-2021-43323 | Unknown |
| CVE-2021-43522 | Unknown |
| CVE-2021-43615 | Unknown |
| CVE-2021-45969 | Unknown |
| CVE-2021-45970 | Unknown |
| CVE-2021-45971 | Unknown |
| CVE-2022-24030 | Unknown |
| CVE-2022-24031 | Unknown |
| CVE-2022-24069 | Unknown |
| CVE-2022-28806 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
References
- https://www.insyde.com/security-pledge
- https://github.com/binarly-io/Vulnerability-REsearch/tree/main/Insyde
- https://github.com/binarly-io/Research_Publications/blob/main/OSFC_2021/The%20firmware%20supply-chain%20security%20is%20broken!%20Can%20we%20fix%20it%3F.pdf
- https://www.microsoft.com/security/blog/2020/11/12/system-management-mode-deep-dive-how-smm-isolation-hardens-the-platform/
- https://www.intel.com/content/www/us/en/developer/articles/technical/intel-sdm.html
Other Information
| CVE IDs: | CVE-2020-27339 CVE-2020-5953 CVE-2021-33625 CVE-2021-33626 CVE-2021-33627 CVE-2021-41837 CVE-2021-41838 CVE-2021-41839 CVE-2021-41840 CVE-2021-41841 CVE-2021-42059 CVE-2021-42060 CVE-2021-42113 CVE-2021-42554 CVE-2021-43323 CVE-2021-43522 CVE-2021-43615 CVE-2021-45969 CVE-2021-45970 CVE-2021-45971 CVE-2022-24030 CVE-2022-24031 CVE-2022-24069 CVE-2022-28806 |
| API URL: | VINCE JSON | CSAF |
| Date Public: | 2022-02-01 |
| Date First Published: | 2022-02-01 |
| Date Last Updated: | 2023-07-17 14:56 UTC |
| Document Revision: | 15 |