search menu icon-carat-right cmu-wordmark

CERT Coordination Center

InsydeH2O UEFI software impacted by multiple vulnerabilities in SMM

Vulnerability Note VU#796611

Original Release Date: 2022-02-01 | Last Revised: 2022-04-26

Overview

The InsydeH2O Hardware-2-Operating System (H2O) UEFI firmware contains multiple vulnerabilities related to memory management in System Management Mode (SMM).

Description

UEFI software provides an extensible interface between an operating system and platform firmware. UEFI software uses a highly privileged processor execution mode called System Management Mode (SMM) for handling system-wide functions like power management, system hardware control, or proprietary OEM-designed code. SMM's privileges, also referred to as "Ring -2," exceed the privileges of the operating system's kernel ("Ring-0"). For this reason, SMM is executed in a protected area of memory called the SMRAM. It is typically accessed via System Management Interrupt (SMI) Handlers using communication buffers, which are also known as "SMM Comm Buffers." The SMM also provides protection against SPI flash modifications and performs boot time verifications similar to those performed by SecureBoot.

UEFI software requires both openness (for hardware drivers, pluggable devices and Driver eXecution Environment (DXE) updates) as well as very tight security controls (for e.g., SMM Comm Buffer Security), making it a complex software that needs a thorough set of security controls that need validation throughout the software's lifecycle. UEFI also supports recent capabilities like Virtual Machine Manager (VMM) for virtualization and the increasing demand of virtual computing resources.

Insyde's H2O UEFI firmware contains several (23) memory management vulnerabilities that were disclosed by Binarly. While these vulnerabilities were discovered in Fujitsu and Bull Atos implementations of Insyde H2O software, the same software is also present in many other vendor implementations due to the complex UEFI supply chain. The vulnerabilities can be classified by the following UEFI vulnerability categories.

Vulnerability Category Count
SMM Privilege Escalation 10
SMM Memory Corruption 12
DXE Memory Corruption 1

Impact

The impacts of these vulnerabilities vary widely due to the nature of SMM capabilities. As an example, a local attacker with administrative privileges (or a remote attacker with administrative privileges) can exploit these vulnerabilities to elevate privileges above the operating system to execute arbitrary code in SMM mode. These attacks can be invoked from the operating system using the unverified or unsafe SMI Handlers, and in some cases these bugs can also be triggered in the UEFI early boot phases ( as well as sleep and recovery like ACPI) before the operating system is initialized.

In summary, a local attacker with administrative privileges (in some cases a remote attacker with administrative privileges) can use malicious software to perform any of the following:

  • Invalidate many hardware security features (SecureBoot, Intel BootGuard)
  • Install persistent software that cannot be easily erased
  • Create backdoors and back communications channels to exfiltrate sensitive data

Solution

Install the latest stable version of firmware provided by your PC vendor or your nearest reseller of your computing environments. See the links below to resources and updates provided by specific vendors.

If your operating system supports automatic or managed updates for firmware, such as Linux Vendor Firmware Service (LVFS), apply the related software security updates. Binarly has also provided a set of UEFI software detection rules called FwHunt rules to assist with identifying vulnerable software. LVFS applies these FwHunt rules to detect and support the fix of firmware updates that are impacted by this advisory.

Acknowledgements

The efiXplorer team of Binarly researched and reported these vulnerabilities to Insyde Software. Insyde Software worked closely with CERT/CC during the coordinated disclosure process for these vulnerabilities.

This document was written by Vijay Sarvepalli.

Vendor Information

796611
 

Aruba Networks Affected

Notified:  2021-10-18 Updated: 2022-03-21

Statement Date:   March 01, 2022

CVE-2020-27339 Affected
CVE-2020-5953 Affected
CVE-2021-33625 Affected
CVE-2021-33626 Affected
CVE-2021-33627 Affected
CVE-2021-41837 Affected
CVE-2021-41838 Affected
CVE-2021-41839 Affected
CVE-2021-41840 Affected
CVE-2021-41841 Affected
CVE-2021-42059 Affected
CVE-2021-42060 Not Affected
CVE-2021-42113 Affected
CVE-2021-42554 Affected
CVE-2021-43323 Affected
CVE-2021-43522 Affected
CVE-2021-43615 Not Affected
CVE-2021-45969 Not Affected
CVE-2021-45970 Not Affected
CVE-2021-45971 Not Affected
CVE-2022-24030 Not Affected
CVE-2022-24031 Not Affected
CVE-2022-24069 Not Affected
CVE-2022-28806 Unknown

Vendor Statement

Aruba has published information about products affected by these vulnerabilities at https://www.arubanetworks.com/support-services/security-bulletins/ with the specific URLs listed as references.

References

Atos SE Affected

Notified:  2022-02-04 Updated: 2022-02-04

Statement Date:   February 04, 2022

CVE-2020-27339 Unknown
CVE-2020-5953 Affected
CVE-2021-33625 Affected
CVE-2021-33626 Unknown
CVE-2021-33627 Unknown
CVE-2021-41837 Unknown
CVE-2021-41838 Unknown
CVE-2021-41839 Unknown
CVE-2021-41840 Unknown
CVE-2021-41841 Unknown
CVE-2021-42059 Affected
CVE-2021-42060 Affected
CVE-2021-42113 Affected
CVE-2021-42554 Affected
CVE-2021-43323 Affected
CVE-2021-43522 Affected
CVE-2021-43615 Affected
CVE-2021-45969 Affected
CVE-2021-45970 Affected
CVE-2021-45971 Affected
CVE-2022-24030 Affected
CVE-2022-24031 Affected
CVE-2022-24069 Affected
CVE-2022-28806 Unknown

Vendor Statement

On February 1st, 2022, CERT-CC, Insyde Inc., and Binarly Inc. collectively disclosed a set of vulnerabilities affecting InsydeH2O Hardware-2-Operating System (H2O) UEFI Bios. These vulnerabilities generalize to all Intel configurations a 2020 vulnerability affecting a version of InsydeH2O that supported a specific Intel chipset (CVE-2020-5953). They affect any product using UEFI Bios based on InsydeH2O, including some BullSequana products. Atos is liaising closely with its suppliers and investigating the exact nature of these vulnerabilities to provide validated remediation.

Fujitsu Affected

Notified:  2021-09-21 Updated: 2022-04-26

Statement Date:   February 04, 2022

CVE-2020-27339 Not Affected
Vendor Statement:
Insyde Security Advisory INSYDE-SA-2021001 (CVE-2020-27339) on InsydeH2O is not part of this 2022/Q2 Insyde Security Advisory (ISA). The Fujitsu PSIRT already addressed the Insyde Security Advisory internally and released dedicated Fujitsu PSIRT Security Notice FCCL-IS-2021-061600.
CVE-2020-5953 Affected
CVE-2021-33625 Affected
CVE-2021-33626 Affected
CVE-2021-33627 Affected
CVE-2021-41837 Affected
CVE-2021-41838 Affected
CVE-2021-41839 Affected
CVE-2021-41840 Affected
CVE-2021-41841 Affected
CVE-2021-42059 Affected
CVE-2021-42060 Affected
CVE-2021-42113 Affected
CVE-2021-42554 Affected
CVE-2021-43323 Affected
CVE-2021-43522 Affected
CVE-2021-43615 Affected
CVE-2021-45969 Affected
CVE-2021-45970 Not Affected
Vendor Statement:
Insyde Security Advisory INSYDE-SA-2022002 (CVE-2021-45970) on InsydeH2O, as part of this 2022/Q2 Insyde Security Advisory (ISA), does not affect any Fujitsu product.
CVE-2021-45971 Affected
CVE-2022-24030 Affected
CVE-2022-24031 Affected
CVE-2022-24069 Unknown
CVE-2022-28806 Affected

Vendor Statement

Fujitsu is aware of the security vulnerabilities in Insyde firmware (InsydeH2O UEFI-BIOS).

Affected products are Fujitsu CCD (Client Computing Device) mobile devices.

The Fujitsu PSIRT released FCCL-IS-2021-090903 on https://security.ts.fujitsu.com (Security Advisories) accordingly.

In case of questions regarding this Fujitsu PSIRT Security Notice, please contact the Fujitsu PSIRT (Fujitsu-PSIRT@ts.fujitsu.com).

References

Insyde Software Corporation Affected

Notified:  2021-09-17 Updated: 2022-02-01

Statement Date:   October 06, 2021

CVE-2020-27339 Affected
Vendor Statement:
This corresponds to CVE-2020-27339. It affects the driver IdeBusDxe. It was discovered by an external security researcher and entered as an incident on 14 October 2020. It was independently reported by Binarly as BRLY-2021-020 in September 2021. The code that resolved the issue can be found in the following kernel versions: Kernel 5.1: 05.16.25, Kernel 5.2: 05.26.25, Kernel 5.3: 05.35.25, Kernel 5.4: 05.43.25, Kernel 5.5: Unaffected
CVE-2020-5953 Affected
Vendor Statement:
This corresponds to CVE-2020-5953. It affects the driver AsfSecureBootSmm. This issue was discovered by a 3rd party security researcher on a version of InsydeH2O that supported a specific Intel chipset. Insyde engineers subsequently discovered that drivers with the same name on versions of InsydeH2O supporting other Intel chipsets were similarly vulnerable. Prior to disclosure, this issue was independently discovered by the Binarly efiXplorer team. The fixed versions were as follows (using the Intel code name): Intel Kaby Lake - 05.12.09.0074, Intel Cannon Lake - 05.34.03.0029, Intel Coffee Lake - 05.34.03.0029, Intel Whiskey Lake (on Cannon Lake) - 05.34.03.0029, Intel Whiskey Lake - 05.23.45.0023, Intel Whiskey Lake (Server/Embedded) - TBD, Intel Comet Lake - 05.23.04.0045, Intel Comet Lake (Server/Embedded) - 05.34.03.0029, Intel Mehlow - TBD, Intel Greenlow/Greenlow-R - TBD, Intel Ice Lake - 05.33.15.0034, Intel Rocket Lake - Unaffected, Intel Tiger Lake - 05.42.03.0010, Intel Alder Lake - Unaffected
CVE-2021-33625 Affected
Vendor Statement:
This affects the HddPassword driver. It was reported by the Binarly efiXplorer team. Fixes are available in the InsydeH2O kernel: Kernel 5.1: 05.16.23, Kernel 5.2: 05.26.23, Kernel 5.3: 05.35.23, Kernel 5.4: 05.43.22, Kernel 5.5: 05.51.22
CVE-2021-33626 Affected
Vendor Statement:
This corresponds to CVE-2021-33626. It affects the driver SmmResourceCheckDxe. This issue was discovered by Insyde engineering during an internal security review of several Insyde drivers and entered as a security incident on May 28, 2021. It was independently reported by Binaryly (BRLY-2021-013) in September 2021. It was fixed in the following Insyde kernel versions on June 1, 2021. Kernel 5.1: 05.16.23 Kernel 5.2: 05.26.23 Kernel 5.3: 05.35.23 Kernel 5.4: 05.43.23 Kernel 5.5: 05.51.23
CVE-2021-33627 Affected
Vendor Statement:
This corresponds fo CVE-2021-33627. It affects the driver FwBlockServiceSmm. This issue was discovered by Insyde engineering during an internal security review and reported on 25 May 2021. It was independently reported by Binarly (BRLY-2021-011) in September 2021. It was fixed in the following Insyde kernel versions. Kernel 5.0: 05.08.29. Kernel 5.1: 05.16.29. Kernel 5.2: 05.26.29. Kernel 5.3: 05.35.29. Kernel 5.4: Unaffected. Kernel 5.5: Unaffected.
CVE-2021-41837 Affected
Vendor Statement:
This corresponds to CVE-2021-41837. It affects the AhciBusDxe driver. This issue was discovered by the Binarly efiXplorer team. The fixed versions of Kernel 5.0: 05.08.41, Kernel 5.1: 05.16.41, Kernel 5.2: 05.26.41, Kernel 5.3: 05.35.41, Kernel 5.4: 05.43.41, Kernel 5.5: 05.51.41
CVE-2021-41838 Affected
Vendor Statement:
This corresponds to CVE-2021-41838. It affects the driver NvmExpressDxe driver. This issue was discovered by the Binarly efiXplorer team. The fixed versions are Kernel 5.1: 05.16.42, Kernel 5.2: 05.26.42, Kernel 5.3: 05.35.42, Kernel 5.4: 05.43.42, Kernel 5.5: 05.51.42
CVE-2021-41839 Affected
Vendor Statement:
This corresponds to CVE-2021-41839. It affects the driver NvmExpressDxe. This issue was discovered by Insyde engineering during an internal security review of several Insyde drivers and entered as a security incident on May 28, 2021. It was independently reported by Binarly (BRLY-2021-017) in September 2021. It was fixed in the following Insyde kernel versions on June 18, 2021. Kernel 5.0: Unaffected. Kernel 5.1: 05.16.25 Kernel 5.2: 05.26.25 Kernel 5.3: 05.35.25 Kernel 5.4: 05.43.25 Kernel 5.5: 05.51.25
CVE-2021-41840 Affected
Vendor Statement:
This corresponds to CVE-2021-41840. It affects the driver SdHostDriver. This issue was discovered internally by during an Insyde code review but was not classified as a security incident until September 17, 2021. It was independently reported by Binarly (BRLY-2021-019) in September 2021. The code that fixed the issue can be found in the following Insyde kernel versions, starting on August 28, 2020. Kernel 5.0: not present. Kernel 5.1: not present. Kernel 5.2: 05.23.35 Kernel 5.3: 05.32.35 Kernel 5.4: 05.40.35 Kernel 5.5: not present.
CVE-2021-41841 Affected
Vendor Statement:
This corresponds to CVE-2021-41841. It affects the driver AhciBusDxe. This issue was discovered by a 3rd party security researcher and entered as a security incident on May 26, 2021. It was independently reported by Binarly (BRLY-2021-018) in September 2021. It was fixed in the following Insyde kernel versions on July 26, 2021. Kernel 5.0: 05.08.29 Kernel 5.1: 05.16.29 Kernel 5.2: 05.26.29 Kernel 5.3: 05.35.29 Kernel 5.4: 05.43.29 Kernel 5.5: 05.51.29
CVE-2021-42059 Affected
Vendor Statement:
This affects the DisplayTypeDxe driver. It was reported by the Binarly efiXplorer team. It was fixed in the InsydeH2O kernel: Kernel 5.0 05.08.41, Kernel 5.1: 05.16.41, Kernel 5.2: 05.26.41, Kernel 5.3: 05.35.41, Kernel 5.4: 05.42.20, Kernel 5.5: unaffected.
CVE-2021-42060 Affected
Vendor Statement:
This affects the Int15ServiceSmm driver. It was reported by the Binarly efiXplorer team. It was fixed in InsydeH2O versions kernel 5.0: 05.08.49, kernel 5.1: 05.16.49, kernel 5.2: 05.23.22, Kernel 5.3: 05.32.22, Kernel 5.4: unaffected, kernel 5.5: unaffected.
CVE-2021-42113 Affected
Vendor Statement:
This corresponds to CVE-2021-42113. It affects the StorageSecurityCommandDxe driver. It was discovered by the Binarly efiXplorer team. It is fixed in the InsydeH2O kernel: Kernel 5.1: 05.14.34, Kernel 5.2: 05.24.34, Kernel 5.3: 05.33.34, Kernel 5.4: unaffected. Kernel 5.5: unaffected.
CVE-2021-42554 Affected
Vendor Statement:
This affects the FvbServicesRuntimeDxe driver. It was reported by the Binarly efiXplorer team. It is fixed in the following InsydeH2O kernel versions: Kernel 5.0: 05.08.42, Kernel 5.1: 05.16.42, Kernel 5.2: 05.26.42, Kernel 5.3: 05.35.42, Kernel 5.4: 05.42.51, Kernel 5.5: 05.50.51
CVE-2021-43323 Affected
Vendor Statement:
This affects the UsbCoreDxe driver. It was reported by the Binarly efiXplorer team. The fixes are available for the Insyde kernel: Kernel 5.0: 05.08.45, Kernel 5.1: 05.16.45, Kernel 5.2: 05.26.45, Kernel 5.3: 05.35.45, Kernel 5.4: 05.43.45, Kernel 5.5: 05.51.45.
CVE-2021-43522 Affected
CVE-2021-43615 Affected
Vendor Statement:
This affects the HddPassword driver. It was reported by the Binarly efiXplorer team. It was fixed in the InsydeH2O kernel: Kernel 5.1: 05.16.23, Kernel 5.2: 05.23.22, Kernel 5.3: 05.32.22, Kernel 5.4: Unaffected, Kernel 5.5: Unaffected
CVE-2021-45969 Affected
Vendor Statement:
This corresponds to CVE-2021-45969. It affects the driver AhciBusDxe. This issue was discovered by Insyde engineering during an internal security review of several Insyde drivers and entered as a security incident on May 28, 2021. It was independently reported by Binaryly (BRLY-2021-016) in September 2021. It was fixed in the following Insyde kernel versions on June 18, 2021. It was fixed in the following versions: Kernel 5.1: 05.16.25 Kernel 5.2: 05.26.25 Kernel 5.3: 05.35.25 Kernel 5.4: 05.43.25 Kernel 5.5: 05.51.25. This issue was previously reported incorrectly as part of CVE-2020-27339.
CVE-2021-45970 Affected
Vendor Statement:
This corresponds to CVE-2021-45970. It affects the driver IdeBusDxe. This issue was discovered by Insyde engineering during an internal security review of several Insyde drivers and entered as a security incident on May 28, 2021. It was independently reported by Binarly (BRLY-2021-015) in September 2021. It was fixed in the following Insyde kernel versions on June 18, 2021. It was fixed in the following Insyde kernel versions: Kernel 5.1: 05.16.25 Kernel 5.2: 05.26.25 Kernel 5.3: 05.35.25 Kernel 5.4: 05.43.25 Kernel 5.5: 05.51.25. This issue was previously reported incorrectly as part of CVE-2020-27339.
CVE-2021-45971 Affected
Vendor Statement:
This corresponds to CVE-2021-45971. It affects the driver SdHostDriver. This issue was discovered by Insyde engineering during an internal security review of several Insyde drivers and entered as a security incident on May 28, 2021. It was independently reported by Binarly (BRLY-2021-012) in September 2021 It was fixed in the following Insyde kernel versions on June 18, 2021. Kernel 5.1: 05.16.25 Kernel 5.2: 05.26.25 Kernel 5.3: 05.35.25 Kernel 5.4: 05.43.25 Kernel 5.5: 05.51.25. It was previously reported incorrectly as part of CVE-2020-27339.
CVE-2022-24030 Affected
Vendor Statement:
This affects the AhciBusDxe driver. This issue was discovered by the Binarly efiXplorer team. The fixed versions of Kernel 5.0: 05.08.41, Kernel 5.1: 05.16.41, Kernel 5.2: 05.26.41, Kernel 5.3: 05.35.41, Kernel 5.4: 05.43.41, Kernel 5.5: 05.51.41
CVE-2022-24031 Affected
Vendor Statement:
This affects the NvmExpressDxe driver. This issue was discovered by the Binarly efiXplorer team. The fixed versions are Kernel 5.1: 05.16.42, Kernel 5.2: 05.26.42, Kernel 5.3: 05.35.42, Kernel 5.4: 05.43.42, Kernel 5.5: 05.51.42
CVE-2022-24069 Unknown
CVE-2022-28806 Unknown

Vendor Statement

These issues affect a broad range of Insyde's InsydeH2O products. They are not chipset specific, but they are specific to kernel versions, which are listed with each statement. We have disclosed these to all affected customers.

AMD Not Affected

Notified:  2022-01-26 Updated: 2022-04-26

Statement Date:   March 28, 2022

CVE-2020-27339 Not Affected
CVE-2020-5953 Not Affected
CVE-2021-33625 Not Affected
CVE-2021-33626 Not Affected
CVE-2021-33627 Not Affected
CVE-2021-41837 Not Affected
CVE-2021-41838 Not Affected
CVE-2021-41839 Not Affected
CVE-2021-41840 Not Affected
CVE-2021-41841 Not Affected
CVE-2021-42059 Not Affected
CVE-2021-42060 Not Affected
CVE-2021-42113 Not Affected
CVE-2021-42554 Not Affected
CVE-2021-43323 Not Affected
CVE-2021-43522 Not Affected
CVE-2021-43615 Not Affected
CVE-2021-45969 Not Affected
CVE-2021-45970 Not Affected
CVE-2021-45971 Not Affected
CVE-2022-24030 Not Affected
CVE-2022-24031 Not Affected
CVE-2022-24069 Not Affected
CVE-2022-28806 Not Affected

Vendor Statement

We have not received a statement from the vendor.

American Megatrends Incorporated (AMI) Not Affected

Notified:  2022-01-18 Updated: 2022-04-26

Statement Date:   February 10, 2022

CVE-2020-27339 Not Affected
CVE-2020-5953 Not Affected
CVE-2021-33625 Not Affected
CVE-2021-33626 Not Affected
CVE-2021-33627 Not Affected
CVE-2021-41837 Not Affected
CVE-2021-41838 Not Affected
CVE-2021-41839 Not Affected
CVE-2021-41840 Not Affected
CVE-2021-41841 Not Affected
CVE-2021-42059 Not Affected
CVE-2021-42060 Not Affected
CVE-2021-42113 Not Affected
CVE-2021-42554 Not Affected
CVE-2021-43323 Not Affected
CVE-2021-43522 Not Affected
CVE-2021-43615 Not Affected
CVE-2021-45969 Not Affected
CVE-2021-45970 Not Affected
CVE-2021-45971 Not Affected
CVE-2022-24030 Not Affected
CVE-2022-24031 Not Affected
CVE-2022-24069 Not Affected
CVE-2022-28806 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Hewlett Packard Enterprise Not Affected

Notified:  2021-10-05 Updated: 2022-04-26

Statement Date:   March 02, 2022

CVE-2020-27339 Not Affected
CVE-2020-5953 Not Affected
CVE-2021-33625 Not Affected
CVE-2021-33626 Not Affected
CVE-2021-33627 Not Affected
CVE-2021-41837 Not Affected
CVE-2021-41838 Not Affected
CVE-2021-41839 Not Affected
CVE-2021-41840 Not Affected
CVE-2021-41841 Not Affected
CVE-2021-42059 Not Affected
CVE-2021-42060 Not Affected
CVE-2021-42113 Not Affected
CVE-2021-42554 Not Affected
CVE-2021-43323 Not Affected
CVE-2021-43522 Not Affected
CVE-2021-43615 Not Affected
CVE-2021-45969 Not Affected
CVE-2021-45970 Not Affected
CVE-2021-45971 Not Affected
CVE-2022-24030 Not Affected
CVE-2022-24031 Not Affected
CVE-2022-24069 Not Affected
CVE-2022-28806 Not Affected

Vendor Statement

HPE has evaluated the integration of the InsydeH20 UEFI BIOS in HPE products. Most HPE products do not integrate, include, or use the InsydeH20 UEFI BIOS and are therefore not affected by these vulnerabilities. A small number of HPE products do include the InsydeH20 UEFI BIOS, but are not affected by these vulnerabilities due to the way the InsydeH20 UEFI BIOS is implemented. Some HPE Aruba products use the InsydeH20 UEFI BIOS and they are affected by some of these vulnerabilities.

DETAILS For more information about the HPE Aruba products affected by the InsydeH20 UEFI BIOS vulnerabilities, see the following Aruba Product Security Advisories:

https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-001.txt Non-HPE site

https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-002.txt Non-HPE site

Intel Not Affected

Notified:  2021-10-05 Updated: 2022-04-26

Statement Date:   February 04, 2022

CVE-2020-27339 Not Affected
CVE-2020-5953 Not Affected
CVE-2021-33625 Not Affected
CVE-2021-33626 Not Affected
CVE-2021-33627 Not Affected
CVE-2021-41837 Not Affected
CVE-2021-41838 Not Affected
CVE-2021-41839 Not Affected
CVE-2021-41840 Not Affected
CVE-2021-41841 Not Affected
CVE-2021-42059 Not Affected
CVE-2021-42060 Not Affected
CVE-2021-42113 Not Affected
CVE-2021-42554 Not Affected
CVE-2021-43323 Not Affected
CVE-2021-43522 Not Affected
CVE-2021-43615 Not Affected
CVE-2021-45969 Not Affected
CVE-2021-45970 Not Affected
CVE-2021-45971 Not Affected
CVE-2022-24030 Not Affected
CVE-2022-24031 Not Affected
CVE-2022-24069 Not Affected
CVE-2022-28806 Not Affected

Vendor Statement

We have not received a statement from the vendor.

NetApp Not Affected

Notified:  2022-02-25 Updated: 2022-02-25

Statement Date:   February 24, 2022

CVE-2020-27339 Not Affected
CVE-2020-5953 Unknown
CVE-2021-33625 Unknown
CVE-2021-33626 Unknown
CVE-2021-33627 Unknown
CVE-2021-41837 Unknown
CVE-2021-41838 Unknown
CVE-2021-41839 Unknown
CVE-2021-41840 Not Affected
CVE-2021-41841 Unknown
CVE-2021-42059 Not Affected
CVE-2021-42060 Unknown
CVE-2021-42113 Not Affected
CVE-2021-42554 Unknown
CVE-2021-43323 Unknown
CVE-2021-43522 Not Affected
CVE-2021-43615 Not Affected
CVE-2021-45969 Unknown
CVE-2021-45970 Unknown
CVE-2021-45971 Unknown
CVE-2022-24030 Unknown
CVE-2022-24031 Unknown
CVE-2022-24069 Unknown
CVE-2022-28806 Not Affected

Vendor Statement

We have not received a statement from the vendor.

References

CERT Addendum

NetApp is still investigating some vulnerabilities disclosed. Visit NetApp Advisory page for details. https://security.netapp.com/advisory/

Phoenix Technologies Not Affected

Notified:  2022-03-24 Updated: 2022-04-26

Statement Date:   March 24, 2022

CVE-2020-27339 Not Affected
CVE-2020-5953 Not Affected
CVE-2021-33625 Not Affected
CVE-2021-33626 Not Affected
CVE-2021-33627 Not Affected
CVE-2021-41837 Not Affected
CVE-2021-41838 Not Affected
CVE-2021-41839 Not Affected
CVE-2021-41840 Not Affected
CVE-2021-41841 Not Affected
CVE-2021-42059 Not Affected
CVE-2021-42060 Not Affected
CVE-2021-42113 Not Affected
CVE-2021-42554 Not Affected
CVE-2021-43323 Not Affected
CVE-2021-43522 Not Affected
CVE-2021-43615 Not Affected
CVE-2021-45969 Not Affected
CVE-2021-45970 Not Affected
CVE-2021-45971 Not Affected
CVE-2022-24030 Not Affected
CVE-2022-24031 Not Affected
CVE-2022-24069 Not Affected
CVE-2022-28806 Not Affected

Vendor Statement

Our review indicates that our firmware code is Not Affected by these vulnerabilities.

Rockwell Automation Not Affected

Notified:  2022-01-26 Updated: 2022-04-26

Statement Date:   January 28, 2022

CVE-2020-27339 Not Affected
CVE-2020-5953 Not Affected
CVE-2021-33625 Not Affected
CVE-2021-33626 Not Affected
CVE-2021-33627 Not Affected
CVE-2021-41837 Not Affected
CVE-2021-41838 Not Affected
CVE-2021-41839 Not Affected
CVE-2021-41840 Not Affected
CVE-2021-41841 Not Affected
CVE-2021-42059 Not Affected
CVE-2021-42060 Not Affected
CVE-2021-42113 Not Affected
CVE-2021-42554 Not Affected
CVE-2021-43323 Not Affected
CVE-2021-43522 Not Affected
CVE-2021-43615 Not Affected
CVE-2021-45969 Not Affected
CVE-2021-45970 Not Affected
CVE-2021-45971 Not Affected
CVE-2022-24030 Not Affected
CVE-2022-24031 Not Affected
CVE-2022-24069 Not Affected
CVE-2022-28806 Not Affected

Vendor Statement

Not affected

References

Supermicro Not Affected

Notified:  2022-01-26 Updated: 2022-04-26

Statement Date:   January 28, 2022

CVE-2020-27339 Not Affected
CVE-2020-5953 Not Affected
CVE-2021-33625 Not Affected
CVE-2021-33626 Not Affected
CVE-2021-33627 Not Affected
CVE-2021-41837 Not Affected
CVE-2021-41838 Not Affected
CVE-2021-41839 Not Affected
CVE-2021-41840 Not Affected
CVE-2021-41841 Not Affected
CVE-2021-42059 Not Affected
CVE-2021-42060 Not Affected
CVE-2021-42113 Not Affected
CVE-2021-42554 Not Affected
CVE-2021-43323 Not Affected
CVE-2021-43522 Not Affected
CVE-2021-43615 Not Affected
CVE-2021-45969 Not Affected
CVE-2021-45970 Not Affected
CVE-2021-45971 Not Affected
CVE-2022-24030 Not Affected
CVE-2022-24031 Not Affected
CVE-2022-24069 Not Affected
CVE-2022-28806 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Toshiba Corporation Not Affected

Notified:  2021-10-05 Updated: 2022-02-01

Statement Date:   October 06, 2021

CVE-2020-27339 Not Affected
CVE-2020-5953 Not Affected
CVE-2021-33625 Not Affected
CVE-2021-33626 Not Affected
CVE-2021-33627 Not Affected
CVE-2021-41837 Not Affected
CVE-2021-41838 Not Affected
CVE-2021-41839 Not Affected
CVE-2021-41840 Not Affected
CVE-2021-41841 Not Affected
CVE-2021-42059 Not Affected
CVE-2021-42060 Not Affected
CVE-2021-42113 Not Affected
CVE-2021-42554 Not Affected
CVE-2021-43323 Not Affected
CVE-2021-43522 Not Affected
CVE-2021-43615 Not Affected
CVE-2021-45969 Not Affected
CVE-2021-45970 Not Affected
CVE-2021-45971 Not Affected
CVE-2022-24030 Not Affected
CVE-2022-24031 Not Affected
CVE-2022-24069 Not Affected
CVE-2022-28806 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Acer Unknown

Notified:  2022-01-26 Updated: 2022-02-01

CVE-2020-27339 Unknown
CVE-2020-5953 Unknown
CVE-2021-33625 Unknown
CVE-2021-33626 Unknown
CVE-2021-33627 Unknown
CVE-2021-41837 Unknown
CVE-2021-41838 Unknown
CVE-2021-41839 Unknown
CVE-2021-41840 Unknown
CVE-2021-41841 Unknown
CVE-2021-42059 Unknown
CVE-2021-42060 Unknown
CVE-2021-42113 Unknown
CVE-2021-42554 Unknown
CVE-2021-43323 Unknown
CVE-2021-43522 Unknown
CVE-2021-43615 Unknown
CVE-2021-45969 Unknown
CVE-2021-45970 Unknown
CVE-2021-45971 Unknown
CVE-2022-24030 Unknown
CVE-2022-24031 Unknown
CVE-2022-24069 Unknown
CVE-2022-28806 Unknown

Vendor Statement

We have not received a statement from the vendor.

ASUSTeK Computer Inc. Unknown

Notified:  2021-10-05 Updated: 2022-02-01

CVE-2020-27339 Unknown
CVE-2020-5953 Unknown
CVE-2021-33625 Unknown
CVE-2021-33626 Unknown
CVE-2021-33627 Unknown
CVE-2021-41837 Unknown
CVE-2021-41838 Unknown
CVE-2021-41839 Unknown
CVE-2021-41840 Unknown
CVE-2021-41841 Unknown
CVE-2021-42059 Unknown
CVE-2021-42060 Unknown
CVE-2021-42113 Unknown
CVE-2021-42554 Unknown
CVE-2021-43323 Unknown
CVE-2021-43522 Unknown
CVE-2021-43615 Unknown
CVE-2021-45969 Unknown
CVE-2021-45970 Unknown
CVE-2021-45971 Unknown
CVE-2022-24030 Unknown
CVE-2022-24031 Unknown
CVE-2022-24069 Unknown
CVE-2022-28806 Unknown

Vendor Statement

We have not received a statement from the vendor.

Dell Unknown

Notified:  2021-10-05 Updated: 2022-02-01

CVE-2020-27339 Unknown
CVE-2020-5953 Unknown
CVE-2021-33625 Unknown
CVE-2021-33626 Unknown
CVE-2021-33627 Unknown
CVE-2021-41837 Unknown
CVE-2021-41838 Unknown
CVE-2021-41839 Unknown
CVE-2021-41840 Unknown
CVE-2021-41841 Unknown
CVE-2021-42059 Unknown
CVE-2021-42060 Unknown
CVE-2021-42113 Unknown
CVE-2021-42554 Unknown
CVE-2021-43323 Unknown
CVE-2021-43522 Unknown
CVE-2021-43615 Unknown
CVE-2021-45969 Unknown
CVE-2021-45970 Unknown
CVE-2021-45971 Unknown
CVE-2022-24030 Unknown
CVE-2022-24031 Unknown
CVE-2022-24069 Unknown
CVE-2022-28806 Unknown

Vendor Statement

We have not received a statement from the vendor.

Dynabook Inc. Unknown

Notified:  2021-10-06 Updated: 2022-02-01

CVE-2020-27339 Unknown
CVE-2020-5953 Unknown
CVE-2021-33625 Unknown
CVE-2021-33626 Unknown
CVE-2021-33627 Unknown
CVE-2021-41837 Unknown
CVE-2021-41838 Unknown
CVE-2021-41839 Unknown
CVE-2021-41840 Unknown
CVE-2021-41841 Unknown
CVE-2021-42059 Unknown
CVE-2021-42060 Unknown
CVE-2021-42113 Unknown
CVE-2021-42554 Unknown
CVE-2021-43323 Unknown
CVE-2021-43522 Unknown
CVE-2021-43615 Unknown
CVE-2021-45969 Unknown
CVE-2021-45970 Unknown
CVE-2021-45971 Unknown
CVE-2022-24030 Unknown
CVE-2022-24031 Unknown
CVE-2022-24069 Unknown
CVE-2022-28806 Unknown

Vendor Statement

We have not received a statement from the vendor.

Gamma Tech Computer Corp. Unknown

Notified:  2022-01-26 Updated: 2022-02-01

CVE-2020-27339 Unknown
CVE-2020-5953 Unknown
CVE-2021-33625 Unknown
CVE-2021-33626 Unknown
CVE-2021-33627 Unknown
CVE-2021-41837 Unknown
CVE-2021-41838 Unknown
CVE-2021-41839 Unknown
CVE-2021-41840 Unknown
CVE-2021-41841 Unknown
CVE-2021-42059 Unknown
CVE-2021-42060 Unknown
CVE-2021-42113 Unknown
CVE-2021-42554 Unknown
CVE-2021-43323 Unknown
CVE-2021-43522 Unknown
CVE-2021-43615 Unknown
CVE-2021-45969 Unknown
CVE-2021-45970 Unknown
CVE-2021-45971 Unknown
CVE-2022-24030 Unknown
CVE-2022-24031 Unknown
CVE-2022-24069 Unknown
CVE-2022-28806 Unknown

Vendor Statement

We have not received a statement from the vendor.

GETAC Inc. Unknown

Notified:  2022-01-26 Updated: 2022-02-01

CVE-2020-27339 Unknown
CVE-2020-5953 Unknown
CVE-2021-33625 Unknown
CVE-2021-33626 Unknown
CVE-2021-33627 Unknown
CVE-2021-41837 Unknown
CVE-2021-41838 Unknown
CVE-2021-41839 Unknown
CVE-2021-41840 Unknown
CVE-2021-41841 Unknown
CVE-2021-42059 Unknown
CVE-2021-42060 Unknown
CVE-2021-42113 Unknown
CVE-2021-42554 Unknown
CVE-2021-43323 Unknown
CVE-2021-43522 Unknown
CVE-2021-43615 Unknown
CVE-2021-45969 Unknown
CVE-2021-45970 Unknown
CVE-2021-45971 Unknown
CVE-2022-24030 Unknown
CVE-2022-24031 Unknown
CVE-2022-24069 Unknown
CVE-2022-28806 Unknown

Vendor Statement

We have not received a statement from the vendor.

HP Inc. Unknown

Notified:  2021-10-05 Updated: 2022-02-01

CVE-2020-27339 Unknown
CVE-2020-5953 Unknown
CVE-2021-33625 Unknown
CVE-2021-33626 Unknown
CVE-2021-33627 Unknown
CVE-2021-41837 Unknown
CVE-2021-41838 Unknown
CVE-2021-41839 Unknown
CVE-2021-41840 Unknown
CVE-2021-41841 Unknown
CVE-2021-42059 Unknown
CVE-2021-42060 Unknown
CVE-2021-42113 Unknown
CVE-2021-42554 Unknown
CVE-2021-43323 Unknown
CVE-2021-43522 Unknown
CVE-2021-43615 Unknown
CVE-2021-45969 Unknown
CVE-2021-45970 Unknown
CVE-2021-45971 Unknown
CVE-2022-24030 Unknown
CVE-2022-24031 Unknown
CVE-2022-24069 Unknown
CVE-2022-28806 Unknown

Vendor Statement

We have not received a statement from the vendor.

Juniper Networks Unknown

Notified:  2022-01-26 Updated: 2022-02-01

CVE-2020-27339 Unknown
CVE-2020-5953 Unknown
CVE-2021-33625 Unknown
CVE-2021-33626 Unknown
CVE-2021-33627 Unknown
CVE-2021-41837 Unknown
CVE-2021-41838 Unknown
CVE-2021-41839 Unknown
CVE-2021-41840 Unknown
CVE-2021-41841 Unknown
CVE-2021-42059 Unknown
CVE-2021-42060 Unknown
CVE-2021-42113 Unknown
CVE-2021-42554 Unknown
CVE-2021-43323 Unknown
CVE-2021-43522 Unknown
CVE-2021-43615 Unknown
CVE-2021-45969 Unknown
CVE-2021-45970 Unknown
CVE-2021-45971 Unknown
CVE-2022-24030 Unknown
CVE-2022-24031 Unknown
CVE-2022-24069 Unknown
CVE-2022-28806 Unknown

Vendor Statement

We have not received a statement from the vendor.

Lenovo Unknown

Notified:  2021-10-05 Updated: 2022-02-01

CVE-2020-27339 Unknown
CVE-2020-5953 Unknown
CVE-2021-33625 Unknown
CVE-2021-33626 Unknown
CVE-2021-33627 Unknown
CVE-2021-41837 Unknown
CVE-2021-41838 Unknown
CVE-2021-41839 Unknown
CVE-2021-41840 Unknown
CVE-2021-41841 Unknown
CVE-2021-42059 Unknown
CVE-2021-42060 Unknown
CVE-2021-42113 Unknown
CVE-2021-42554 Unknown
CVE-2021-43323 Unknown
CVE-2021-43522 Unknown
CVE-2021-43615 Unknown
CVE-2021-45969 Unknown
CVE-2021-45970 Unknown
CVE-2021-45971 Unknown
CVE-2022-24030 Unknown
CVE-2022-24031 Unknown
CVE-2022-24069 Unknown
CVE-2022-28806 Unknown

Vendor Statement

We have not received a statement from the vendor.

Microsoft Unknown

Notified:  2021-10-05 Updated: 2022-02-01

CVE-2020-27339 Unknown
CVE-2020-5953 Unknown
CVE-2021-33625 Unknown
CVE-2021-33626 Unknown
CVE-2021-33627 Unknown
CVE-2021-41837 Unknown
CVE-2021-41838 Unknown
CVE-2021-41839 Unknown
CVE-2021-41840 Unknown
CVE-2021-41841 Unknown
CVE-2021-42059 Unknown
CVE-2021-42060 Unknown
CVE-2021-42113 Unknown
CVE-2021-42554 Unknown
CVE-2021-43323 Unknown
CVE-2021-43522 Unknown
CVE-2021-43615 Unknown
CVE-2021-45969 Unknown
CVE-2021-45970 Unknown
CVE-2021-45971 Unknown
CVE-2022-24030 Unknown
CVE-2022-24031 Unknown
CVE-2022-24069 Unknown
CVE-2022-28806 Unknown

Vendor Statement

We have not received a statement from the vendor.

Microsoft Vulnerability Research Unknown

Notified:  2021-10-06 Updated: 2022-02-01

CVE-2020-27339 Unknown
CVE-2020-5953 Unknown
CVE-2021-33625 Unknown
CVE-2021-33626 Unknown
CVE-2021-33627 Unknown
CVE-2021-41837 Unknown
CVE-2021-41838 Unknown
CVE-2021-41839 Unknown
CVE-2021-41840 Unknown
CVE-2021-41841 Unknown
CVE-2021-42059 Unknown
CVE-2021-42060 Unknown
CVE-2021-42113 Unknown
CVE-2021-42554 Unknown
CVE-2021-43323 Unknown
CVE-2021-43522 Unknown
CVE-2021-43615 Unknown
CVE-2021-45969 Unknown
CVE-2021-45970 Unknown
CVE-2021-45971 Unknown
CVE-2022-24030 Unknown
CVE-2022-24031 Unknown
CVE-2022-24069 Unknown
CVE-2022-28806 Unknown

Vendor Statement

We have not received a statement from the vendor.

ReactOS Unknown

Notified:  2022-01-26 Updated: 2022-02-01

CVE-2020-27339 Unknown
CVE-2020-5953 Unknown
CVE-2021-33625 Unknown
CVE-2021-33626 Unknown
CVE-2021-33627 Unknown
CVE-2021-41837 Unknown
CVE-2021-41838 Unknown
CVE-2021-41839 Unknown
CVE-2021-41840 Unknown
CVE-2021-41841 Unknown
CVE-2021-42059 Unknown
CVE-2021-42060 Unknown
CVE-2021-42113 Unknown
CVE-2021-42554 Unknown
CVE-2021-43323 Unknown
CVE-2021-43522 Unknown
CVE-2021-43615 Unknown
CVE-2021-45969 Unknown
CVE-2021-45970 Unknown
CVE-2021-45971 Unknown
CVE-2022-24030 Unknown
CVE-2022-24031 Unknown
CVE-2022-24069 Unknown
CVE-2022-28806 Unknown

Vendor Statement

We have not received a statement from the vendor.

Siemens Unknown

Notified:  2022-01-26 Updated: 2022-02-01

CVE-2020-27339 Unknown
CVE-2020-5953 Unknown
CVE-2021-33625 Unknown
CVE-2021-33626 Unknown
CVE-2021-33627 Unknown
CVE-2021-41837 Unknown
CVE-2021-41838 Unknown
CVE-2021-41839 Unknown
CVE-2021-41840 Unknown
CVE-2021-41841 Unknown
CVE-2021-42059 Unknown
CVE-2021-42060 Unknown
CVE-2021-42113 Unknown
CVE-2021-42554 Unknown
CVE-2021-43323 Unknown
CVE-2021-43522 Unknown
CVE-2021-43615 Unknown
CVE-2021-45969 Unknown
CVE-2021-45970 Unknown
CVE-2021-45971 Unknown
CVE-2022-24030 Unknown
CVE-2022-24031 Unknown
CVE-2022-24069 Unknown
CVE-2022-28806 Unknown

Vendor Statement

We have not received a statement from the vendor.

Siemens Nixdorf AG Unknown

Updated: 2022-02-01

CVE-2020-27339 Unknown
CVE-2020-5953 Unknown
CVE-2021-33625 Unknown
CVE-2021-33626 Unknown
CVE-2021-33627 Unknown
CVE-2021-41837 Unknown
CVE-2021-41838 Unknown
CVE-2021-41839 Unknown
CVE-2021-41840 Unknown
CVE-2021-41841 Unknown
CVE-2021-42059 Unknown
CVE-2021-42060 Unknown
CVE-2021-42113 Unknown
CVE-2021-42554 Unknown
CVE-2021-43323 Unknown
CVE-2021-43522 Unknown
CVE-2021-43615 Unknown
CVE-2021-45969 Unknown
CVE-2021-45970 Unknown
CVE-2021-45971 Unknown
CVE-2022-24030 Unknown
CVE-2022-24031 Unknown
CVE-2022-24069 Unknown
CVE-2022-28806 Unknown

Vendor Statement

We have not received a statement from the vendor.

VAIO Corporation Unknown

Notified:  2022-01-26 Updated: 2022-02-01

CVE-2020-27339 Unknown
CVE-2020-5953 Unknown
CVE-2021-33625 Unknown
CVE-2021-33626 Unknown
CVE-2021-33627 Unknown
CVE-2021-41837 Unknown
CVE-2021-41838 Unknown
CVE-2021-41839 Unknown
CVE-2021-41840 Unknown
CVE-2021-41841 Unknown
CVE-2021-42059 Unknown
CVE-2021-42060 Unknown
CVE-2021-42113 Unknown
CVE-2021-42554 Unknown
CVE-2021-43323 Unknown
CVE-2021-43522 Unknown
CVE-2021-43615 Unknown
CVE-2021-45969 Unknown
CVE-2021-45970 Unknown
CVE-2021-45971 Unknown
CVE-2022-24030 Unknown
CVE-2022-24031 Unknown
CVE-2022-24069 Unknown
CVE-2022-28806 Unknown

Vendor Statement

We have not received a statement from the vendor.

Xerox Unknown

Notified:  2022-01-26 Updated: 2022-02-01

CVE-2020-27339 Unknown
CVE-2020-5953 Unknown
CVE-2021-33625 Unknown
CVE-2021-33626 Unknown
CVE-2021-33627 Unknown
CVE-2021-41837 Unknown
CVE-2021-41838 Unknown
CVE-2021-41839 Unknown
CVE-2021-41840 Unknown
CVE-2021-41841 Unknown
CVE-2021-42059 Unknown
CVE-2021-42060 Unknown
CVE-2021-42113 Unknown
CVE-2021-42554 Unknown
CVE-2021-43323 Unknown
CVE-2021-43522 Unknown
CVE-2021-43615 Unknown
CVE-2021-45969 Unknown
CVE-2021-45970 Unknown
CVE-2021-45971 Unknown
CVE-2022-24030 Unknown
CVE-2022-24031 Unknown
CVE-2022-24069 Unknown
CVE-2022-28806 Unknown

Vendor Statement

We have not received a statement from the vendor.

View all 29 vendors View less vendors


Other Information

Sponsored by CISA.