Executive Summary
Summary | |
---|---|
Title | GIGABYTE BRIX UEFI firmware fails to implement write protection and is not cryptographically signed |
Informations | |||
---|---|---|---|
Name | VU#507496 | First vendor Publication | 2017-03-31 |
Vendor | VU-CERT | Last vendor Modification | 2017-03-31 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 10 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#507496GIGABYTE BRIX UEFI firmware fails to implement write protection and is not cryptographically signedOverviewGIGABYTE BRIX UEFI firmware for the GB-BSi7H-6500 and GB-BXi7-5775 platforms, versions vF6 and vF2 respectively, fails to properly set the BIOSWE, BLE, SMM_BWP, and PRx bits to enforce write protection. It also is not cryptographically signed. These issues may permit an attacker to write arbitrary code to the platform firmware, potentially allowing for persistent firmware level rootkits or the creation of a permanent denial of service condition in the platform. Description
Impact
Solution
Vendor Information (Learn More)
CVSS Metrics (Learn More)
References
CreditThanks to Alex Matrosov of Cylance for reporting these vulnerabilities. This document was written by Joel Land. Other Information
FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email. |
Original Source
Url : http://www.kb.cert.org/vuls/id/507496 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
33 % | CWE-347 | Improper Verification of Cryptographic Signature |
33 % | CWE-311 | Missing Encryption of Sensitive Data (CWE/SANS Top 25) |
33 % | CWE-20 | Improper Input Validation |
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Os | 1 | |
Os | 1 |
Alert History
Date | Informations |
---|---|
2018-09-10 17:23:39 |
|
2018-07-10 00:21:04 |
|
2017-03-31 21:20:45 |
|