CVE-2017-3198
9.8
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 3.9 / Impact: 5.9
Source: NVD
Description
GIGABYTE BRIX UEFI firmware does not cryptographically validate images prior to updating the system firmware. Additionally, the firmware updates are served over HTTP. An attacker can make arbitrary modifications to firmware images without being detected.
Affected (2)
Products: Gigabyte: Gb Bsi7h 6500 Firmware, Gb Bxi7 5775 Firmware
Configuration A
| Vulnerable Software | Affected Versions |
|---|---|
| Version f6 |
| Running on/with | Platform Versions |
|---|---|
Gigabyte Gb Bsi7h 6500 | All versions |
Configuration B
| Vulnerable Software | Affected Versions |
|---|---|
| Version f2 |
| Running on/with | Platform Versions |
|---|---|
Gigabyte Gb Bxi7 5775 | All versions |
Related CWEs
CWE-311
Missing Encryption of Sensitive Data
The product does not encrypt sensitive or critical information before storage or transmission.
CWE-345
Insufficient Verification of Data Authenticity
The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
CWE-347
Improper Verification of Cryptographic Signature
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
References (6)
Source: cret@cert.org
ExploitThird Party Advisory
Source: cret@cert.org
Third Party AdvisoryUS Government Resource
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party AdvisoryVDB Entry
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party AdvisoryUS Government Resource
Timeline
No history available yet.