CVE-2017-3197 — CRITICAL (9.8)

Vulnerability Description

GIGABYTE BRIX UEFI firmware for the GB-BSi7H-6500 (version F6) and GB-BXi7-5775 (version F2) platforms does not securely implement BIOSWE, BLE, SMM_BWP, and PRx features. As a result, the BIOS is not protected from arbitrary write access and may permit modifications to the SPI flash.

CVSS Score

9.8

CRITICAL

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Gigabyte	Gb-Bsi7H-6500 Firmware	f6
Gigabyte	Gb-Bsi7H-6500	-
Gigabyte	Gb-Bxi7-5775 Firmware	f2
Gigabyte	Gb-Bxi7-5775	-

Related Weaknesses (CWE)

CWE-20 CWE-693

References

http://www.securityfocus.com/bid/97294Third Party AdvisoryVDB Entry
https://github.com/CylanceVulnResearch/disclosures/blob/master/CLVA-2017-01-001.ExploitThird Party Advisory
https://github.com/CylanceVulnResearch/disclosures/blob/master/CLVA-2017-01-002.ExploitThird Party Advisory
https://www.cylance.com/en_us/blog/gigabyte-brix-systems-vulnerabilities.htmlExploitThird Party Advisory
https://www.kb.cert.org/vuls/id/507496Third Party AdvisoryUS Government Resource
http://www.securityfocus.com/bid/97294Third Party AdvisoryVDB Entry
https://github.com/CylanceVulnResearch/disclosures/blob/master/CLVA-2017-01-001.ExploitThird Party Advisory
https://github.com/CylanceVulnResearch/disclosures/blob/master/CLVA-2017-01-002.ExploitThird Party Advisory
https://www.cylance.com/en_us/blog/gigabyte-brix-systems-vulnerabilities.htmlExploitThird Party Advisory
https://www.kb.cert.org/vuls/id/507496Third Party AdvisoryUS Government Resource

FAQ

What is CVE-2017-3197?

CVE-2017-3197 is a vulnerability with a CVSS score of 9.8 (CRITICAL). GIGABYTE BRIX UEFI firmware for the GB-BSi7H-6500 (version F6) and GB-BXi7-5775 (version F2) platforms does not securely implement BIOSWE, BLE, SMM_BWP, and PRx features. As a result, the BIOS is not ...

How severe is CVE-2017-3197?

CVE-2017-3197 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2017-3197?

Check the references section above for vendor advisories and patch information. Affected products include: Gigabyte Gb-Bsi7H-6500 Firmware, Gigabyte Gb-Bsi7H-6500, Gigabyte Gb-Bxi7-5775 Firmware, Gigabyte Gb-Bxi7-5775.