Full Report
Insyde has published information on vulnerabilities in Insyde BIOS up to August 2023. These vulnerabilities also affect the RUGGEDCOM APE1808 product family. Siemens has released updates for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Insyde BIOS Vulnerabilities in RUGGEDCOM APE1808
## CVE Details
- **CVE ID:** CVE-2023-28216, CVE-2023-22616, CVE-2022-30771, CVE-2023-24932, CVE-2023-31041, CVE-2023-27373
- **CVSS Score:** 8.2 (High) - *Aggregate score for the advisory*
- **CWE:** CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-20 (Improper Input Validation), CWE-358 (Improperly Implemented Security Check), CWE-256 (Plaintext Storage of a Password).
## Affected Systems
- **Products:** RUGGEDCOM APE1808 family including:
- ADM, ADM CC, CKP, CKP CC, CLOUDCONNECT, CLOUDCONNECT CC, ELAN, ELAN CC, SAM-L, SAM-L CC, CLA-P, CLA-P CC, CLA-S1, CLA-S1 CC, CLA-S3, CLA-S3 CC.
- **Versions:** All BIOS versions prior to V1.0.212N.
- **Configurations:** Systems utilizing InsydeH2O kernel versions 5.0 through 5.5.
## Vulnerability Description
Multiple vulnerabilities exist in the Insyde BIOS used by RUGGEDCOM APE1808 modules:
- **Memory Corruption (CVE-2023-28216):** A buffer overflow in the `UsbBusDxe` driver during the handling of USB descriptors.
- **SMM Code Execution (CVE-2022-30771):** Improper validation in `BlockServiceSmm` allows an attacker to replace pointers to UEFI boot services with malicious pointers, leading to arbitrary code execution in System Management Mode (SMM) via a software SMI.
- **Secure Boot Bypass (CVE-2023-24932):** Improper security checks allow the installation of affected boot policies to bypass Secure Boot.
- **Input Validation (CVE-2023-27373 / CVE-2023-22616):** Allows tampering with EFI variables to cause Base Address Register (BAR) settings to overlap with SMRAM or trigger memory corruption.
- **Information Disclosure (CVE-2023-31041):** System passwords may be stored in cleartext in the `SysPasswordDxe` module.
## Exploitation
- **Status:** PoC available (Proof of Concept status indicated by "E:P" in CVSS vectors).
- **Complexity:** Ranges from Low to High (depending on the specific CVE).
- **Attack Vector:** Local (Most require local/administrative access) or Physical.
## Impact
- **Confidentiality:** High (Cleartext passwords and SMM memory access).
- **Integrity:** High (Ability to modify BIOS/SMM and bypass Secure Boot).
- **Availability:** High (Potential for system bricking or denial of service).
## Remediation
### Patches
- **Update to BIOS V1.0.212N or later.**
- Downloads are available via the Siemens Industry Online Support portal: hxxps://support[.]industry[.]siemens[.]com/cs/in/en/view/109814796
### Workarounds
- Siemens has not provided specific functional workarounds; however, following the "Detection" strategies below serves as a general mitigation risk reduction.
## Detection
- Monitor for unauthorized attempts to flash BIOS or modify UEFI variables.
- Ensure "Administrative" rights are strictly controlled, as many of these flaws require elevated local privileges for exploitation.
- Audit for the presence of physical hardware implants or unauthorized USB devices attached to the APE1808 modules.
## References
- **Siemens Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/pdf/ssa-957369[.]pdf
- **Insyde Security Pledge:** hxxps://www[.]insyde[.]com/security-pledge
- **Siemens ProductCERT:** hxxps://www[.]siemens[.]com/cert/advisories