Critical Vulnerability Information Vulnerability Identifier ID: INSYDE-SA-2024016 CVSS Score: 5.3 Product: InsydeH2O Vulnerability Overview Summary: VariableRuntimeDxe: Unsafe functions may cause buffer over-read. Vulnerability Details CVEs: - CVE-2024-52877 - CVE-2024-52878 - CVE-2024-52879 - CVE-2024-52880 Detailed Description: - In the VariableRuntimeDxe driver, the callback function SmmCreateVariableLockList() calls CreateVariableLockListInSmm(). Within CreateVariableLockListInSmm(), StrSize() is used to obtain the size of the variable name, which may lead to a buffer over-read. - In the VariableRuntimeDxe driver, VariableServicesSetVariable() can be invoked from SMM via gRT->SetVariable(), SmmSetSensitiveVariable(), or SmmInternalSetVariable(). Within VariableServicesSetVariable(), StrSize() is used to get the variable name size, StrLen() to get the variable name length, and StrCmp() to compare strings. These operations may result in a buffer over-read. - In the VariableRuntimeDxe driver, SmmUpdateVariablePropertySmi() is an SMM callback function that uses StrCmp() to compare variable names. This operation may cause a buffer over-read. - In the VariableRuntimeDxe driver, SecureBootHandler uses DataSize and VariableNameSize to determine whether data or name is within a buffer. However, these values are provided by the caller and thus cannot be trusted. Remediation Information Affected Kernel Versions and Fixed Versions: - kernel 5.2, Version 05.29.50 - kernel 5.3, Version 05.38.50 - kernel 5.4, Version 05.46.50 - kernel 5.5, Version 05.54.50 - kernel 5.6, Version 05.61.50 - kernel 5.7, Version 05.70.50 Release History Revision #1: 2025-05-13, Initial Release