CVE-2021-33625 — HIGH (7.5)

Q: How severe is CVE-2021-33625?

CVE-2021-33625 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-33625?

Check the references section above for vendor advisories and patch information. Affected products include: Insyde Insydeh2O, Netapp Fas\/Aff Bios, Siemens Ruggedcom Ape1808 Firmware, Siemens Ruggedcom Ape1808, Siemens Simatic Field Pg M5 Firmware.

Vulnerability Description

An issue was discovered in Kernel 5.x in Insyde InsydeH2O, affecting HddPassword. Software SMI services that use the Communicate() function of the EFI_SMM_COMMUNICATION_PROTOCOL do not check whether the address of the buffer is valid, which allows use of SMRAM, MMIO, or OS kernel addresses.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Insyde	Insydeh2O	>= 5.1, < 5.16.23
Netapp	Fas\/Aff Bios	-
Siemens	Ruggedcom Ape1808 Firmware	-
Siemens	Ruggedcom Ape1808	-
Siemens	Simatic Field Pg M5 Firmware	-
Siemens	Simatic Field Pg M5	-
Siemens	Simatic Ipc127E Firmware	-
Siemens	Simatic Ipc127E	-
Siemens	Simatic Itp1000 Firmware	-
Siemens	Simatic Itp1000	-
Siemens	Simatic Ipc277G Firmware	-
Siemens	Simatic Ipc277G	-
Siemens	Simatic Ipc227G Firmware	-
Siemens	Simatic Ipc227G	-
Siemens	Simatic Ipc327G Firmware	-
Siemens	Simatic Ipc327G	-
Siemens	Simatic Ipc377G Firmware	-
Siemens	Simatic Ipc377G	-
Siemens	Simatic Ipc427E Firmware	-
Siemens	Simatic Ipc427E	-

Related Weaknesses (CWE)

CWE-119

References

https://cert-portal.siemens.com/productcert/pdf/ssa-306654.pdfThird Party Advisory
https://security.netapp.com/advisory/ntap-20220222-0004/Third Party Advisory
https://www.insyde.com/security-pledgeVendor Advisory
https://www.insyde.com/security-pledge/SA-2022014Vendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-306654.pdfThird Party Advisory
https://security.netapp.com/advisory/ntap-20220222-0004/Third Party Advisory
https://www.insyde.com/security-pledgeVendor Advisory
https://www.insyde.com/security-pledge/SA-2022014Vendor Advisory
https://www.kb.cert.org/vuls/id/796611

FAQ

What is CVE-2021-33625?

CVE-2021-33625 is a vulnerability with a CVSS score of 7.5 (HIGH). An issue was discovered in Kernel 5.x in Insyde InsydeH2O, affecting HddPassword. Software SMI services that use the Communicate() function of the EFI_SMM_COMMUNICATION_PROTOCOL do not check whether t...

How severe is CVE-2021-33625?

CVE-2021-33625 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-33625?

Check the references section above for vendor advisories and patch information. Affected products include: Insyde Insydeh2O, Netapp Fas\/Aff Bios, Siemens Ruggedcom Ape1808 Firmware, Siemens Ruggedcom Ape1808, Siemens Simatic Field Pg M5 Firmware.