CVE-2021-33627 — HIGH (8.2)

Q: How severe is CVE-2021-33627?

CVE-2021-33627 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-33627?

Check the references section above for vendor advisories and patch information. Affected products include: Insyde Insydeh2O, Siemens Simatic Field Pg M5 Firmware, Siemens Simatic Field Pg M5, Siemens Simatic Field Pg M6 Firmware, Siemens Simatic Field Pg M6.

Vulnerability Description

An issue was discovered in Insyde InsydeH2O Kernel 5.0 before 05.09.11, 5.1 before 05.17.11, 5.2 before 05.27.11, 5.3 before 05.36.11, 5.4 before 05.44.11, and 5.5 before 05.52.11 affecting FwBlockServiceSmm. Software SMI services that use the Communicate() function of the EFI_SMM_COMMUNICATION_PROTOCOL do not check whether the address of the buffer is valid, which allows use of SMRAM, MMIO, or OS kernel addresses.

CVSS Score

8.2

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Insyde	Insydeh2O	>= 5.0, < 5.08.29
Siemens	Simatic Field Pg M5 Firmware	All versions
Siemens	Simatic Field Pg M5	-
Siemens	Simatic Field Pg M6 Firmware	All versions
Siemens	Simatic Field Pg M6	-
Siemens	Simatic Ipc127E Firmware	All versions
Siemens	Simatic Ipc127E	-
Siemens	Simatic Ipc227G Firmware	All versions
Siemens	Simatic Ipc227G	-
Siemens	Simatic Ipc277G Firmware	All versions
Siemens	Simatic Ipc277G	-
Siemens	Simatic Ipc327G Firmware	All versions
Siemens	Simatic Ipc327G	-
Siemens	Simatic Ipc377G Firmware	All versions
Siemens	Simatic Ipc377G	-
Siemens	Simatic Ipc427E Firmware	All versions
Siemens	Simatic Ipc427E	-
Siemens	Simatic Ipc477E Firmware	All versions
Siemens	Simatic Ipc477E	-
Siemens	Simatic Ipc627E Firmware	All versions

Related Weaknesses (CWE)

CWE-119

References

https://cert-portal.siemens.com/productcert/pdf/ssa-306654.pdfThird Party Advisory
https://security.netapp.com/advisory/ntap-20220222-0002/Third Party Advisory
https://www.insyde.com/security-pledgeVendor Advisory
https://www.insyde.com/security-pledge/SA-2022022Vendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-306654.pdfThird Party Advisory
https://security.netapp.com/advisory/ntap-20220222-0002/Third Party Advisory
https://www.insyde.com/security-pledgeVendor Advisory
https://www.insyde.com/security-pledge/SA-2022022Vendor Advisory
https://www.kb.cert.org/vuls/id/796611

FAQ

What is CVE-2021-33627?

CVE-2021-33627 is a vulnerability with a CVSS score of 8.2 (HIGH). An issue was discovered in Insyde InsydeH2O Kernel 5.0 before 05.09.11, 5.1 before 05.17.11, 5.2 before 05.27.11, 5.3 before 05.36.11, 5.4 before 05.44.11, and 5.5 before 05.52.11 affecting FwBlockSer...

How severe is CVE-2021-33627?

CVE-2021-33627 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-33627?

Check the references section above for vendor advisories and patch information. Affected products include: Insyde Insydeh2O, Siemens Simatic Field Pg M5 Firmware, Siemens Simatic Field Pg M5, Siemens Simatic Field Pg M6 Firmware, Siemens Simatic Field Pg M6.