GETAC TECHNOLOGY CORPORATION SECURITY UPDATE FOR INSYDEH2O UEFI FIRMWARE VULNERABILITIES
Getac Technology Corporation (“Getac”) is reviewing and assessing the impact of the InsydeH2O UEFI Firmware Vulnerabilities to our products. The security of our products is a top priority and critical to protecting our customers.
INSYDE SECURITY ADVISORY (ISA)
Multiple potential security vulnerabilities in the Insyde® InsydeH2O Hardware-2-Operating System (H2O) UEFI firmware (Insyde® InsydeH2O UEFI-BIOS or the “Product”) may result compromise of confidentiality, integrity and availability.
Description:
The description of the vulnerabilities are as follows:
INSYDE-SA-2022/Q1: 2022/Q1 ISA – Insyde® Firmware (InsydeH2O UEFI-BIOS) Advisory
| Vulnerabilities | BINARLY ID | CVE ID |
|---|---|---|
SMM Callout | BRLY-2021-008 | CVE-2020-5953 |
BRLY-2021-017 | CVE-2021-41839 | |
BRLY-2021-018 | CVE-2021-41841 | |
BRLY-2021-019 | CVE-2021-41840 | |
BRLY-2021-020 | CVE-2020-27339 | |
BRLY-2021-022 | CVE-2021-42060 | |
BRLY-2021-023 | CVE-2021-42113 | |
BRLY-2021-024 | CVE-2021-43522 | |
BRLY-2021-025 | CVE-2022-24069 | |
BRLY-2021-028 | CVE-2021-43615 | |
SMM Memory Corruption | BRLY-2021-009 | CVE-2021-41837 |
BRLY-2021-010 | CVE-2021-41838 | |
BRLY-2021-011 | CVE-2021-33627 | |
BRLY-2021-012 | CVE-2021-45971 | |
BRLY-2021-013 | CVE-2021-33626 | |
BRLY-2021-015 | CVE-2021-45970 | |
BRLY-2021-016 | CVE-2021-45969 | |
BRLY-2021-026 | CVE-2022-24030 | |
BRLY-2021-027 | CVE-2021-42554 | |
BRLY-2021-029 | CVE-2021-33625 | |
BRLY-2021-030 | CVE-2022-24031 | |
BRLY-2021-031 | CVE-2021-43323 | |
DXE Memory Corruption | BRLY-2021-021 | CVE-2021-42059 |
Insyde has examined the affected Product and scheduled to release various batches of firmware updates for supported InsydeH2O UEFI-BIOS firmware versions that remediate the vulnerabilities as follows.
Potential Impact:
According to the information provided, the potential impact of INSYDE-SA-2022/Q1 is: Loss of Confidentiality, Integrity and Availability
Advisory References:
Getac Affected Products and Remediations:
| No: | Models: | BIOS Version | BIOS Release Plan |
|---|---|---|---|
| 1 | F110G6 | R1.07.070520 | 2022/2/25 |
| S410G4 | R1.22.070520 | ||
| K120G2 | R1.12.070520 | ||
| 2 | F110G5 | R1.16.070520 | 2022/3/4 |
| V110G6 | R1.09.070520 | ||
| UX10G2 | R1.14.070520 | ||
| B360 | R1.24.070520 | ||
| A140G2 | R1.10.070520 | ||
| X500G3 | R1.26.070520 | ||
| T800G2 | R1.24.070520 | ||
| 3 | A140G1 | R1.20.070520 | 2022/3/23 |
| B300G7 | R1.15.070520 | ||
| EX80 | R1.07.070520 | ||
| F110G4 | R1.23.070520 | ||
| K120G1 | R1.15.070520 | ||
| RX10G2 | R1.14.070520 | ||
| S410G2 | R1.26.070520 | ||
| S410G3 | R1.22.070520 | ||
| UX10G1 | R1.17.070520 | ||
| V110G4 | R1.18.070520 | ||
| V110G5 | R1.12.070520 |
* Find out which generation of your Getac product model at https://support.getac.com/Portal/Page/786
Getac urges our valued customers to update the BIOS for each corresponding Getac Model as soon as possible once the release is available to resolve the multiple potential security vulnerabilities in the Insyde® InsydeH2O Hardware-2-Operating System (H2O) UEFI firmware (Insyde® InsydeH2O UEFI-BIOS).
Getac Disclaimer
All content and other information mentioned in this statement or offered arising from the issue described herein are provided on an “as is ” basis, without express or implied warranties of any kind. All products, information, and figures specified are preliminary based on current expectations and are subject to change without notice. Getac assessments have been estimated or simulated using Getac internal analysis or architecture simulation or modeling, and may not represent the actual risk to the users’ local installation and individual environment. Users are recommended to determine the applicability of this statement to their individual environments and take appropriate actions. In no event shall Getac or any of its affiliates be liable for any direct, indirect, consequential, punitive, special, or incidental damages arising out of or in connection with related to the information contained herein or actions that the user decides to take based thereon (including, without limitation, damages for loss of business, contract, revenue, data, information, or business interruption). Getac reserves the right to interpret this disclaimer and update this disclaimer whenever necessary.
February 11, 2022
