CVE-2017-3197 - OpenCVE

GIGABYTE BRIX UEFI firmware for the GB-BSi7H-6500 (version F6) and GB-BXi7-5775 (version F2) platforms does not securely implement BIOSWE, BLE, SMM_BWP, and PRx features. As a result, the BIOS is not protected from arbitrary write access and may permit modifications to the SPI flash.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:N/C:C/I:C/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Gigabyte	Gb-bsi7h-6500 Gb-bsi7h-6500 Firmware Gb-bxi7-5775 Gb-bxi7-5775 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:gigabyte:gb-bsi7h-6500_firmware:f6:*:*:*:*:*:*:*

cpe:2.3:h:gigabyte:gb-bsi7h-6500:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:gigabyte:gb-bxi7-5775_firmware:f2:*:*:*:*:*:*:*

cpe:2.3:h:gigabyte:gb-bxi7-5775:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.securityfocus.com/bid/97294
https://github.com/CylanceVulnResearch/disclosures/blob/master/CLVA-2017-01-001.md
https://github.com/CylanceVulnResearch/disclosures/blob/master/CLVA-2017-01-002.md
https://www.cylance.com/en_us/blog/gigabyte-brix-systems-vulnerabilities.html
https://www.kb.cert.org/vuls/id/507496

History

No history.

MITRE

Status: PUBLISHED

Assigner: certcc

Published: 2018-07-09T19:00:00

Updated: 2024-08-05T14:16:28.250Z

Reserved: 2016-12-05T00:00:00

Link: CVE-2017-3197

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-07-09T19:29:00.247

Modified: 2019-10-09T23:27:21.853

Link: CVE-2017-3197

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "GB-BSi7H-6500", "vendor": "GIGABYTE", "versions": [{"status": "affected", "version": "F6"}]}, {"product": "GB-BXi7-5775", "vendor": "GIGABYTE", "versions": [{"status": "affected", "version": "F2"}]}], "datePublic": "2017-03-31T00:00:00", "descriptions": [{"lang": "en", "value": "GIGABYTE BRIX UEFI firmware for the GB-BSi7H-6500 (version F6) and GB-BXi7-5775 (version F2) platforms does not securely implement BIOSWE, BLE, SMM_BWP, and PRx features. As a result, the BIOS is not protected from arbitrary write access and may permit modifications to the SPI flash."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-693", "description": "CWE-693: Protection Mechanism Failure", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-07-09T18:57:01", "orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/CylanceVulnResearch/disclosures/blob/master/CLVA-2017-01-001.md"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/CylanceVulnResearch/disclosures/blob/master/CLVA-2017-01-002.md"}, {"name": "VU#507496", "tags": ["third-party-advisory", "x_refsource_CERT-VN"], "url": "https://www.kb.cert.org/vuls/id/507496"}, {"name": "97294", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/97294"}, {"tags": ["x_refsource_MISC"], "url": "https://www.cylance.com/en_us/blog/gigabyte-brix-systems-vulnerabilities.html"}], "source": {"discovery": "UNKNOWN"}, "title": "GIGABYTE BRIX UEFI firmware fails to securely implement BIOS write protection", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cert@cert.org", "ID": "CVE-2017-3197", "STATE": "PUBLIC", "TITLE": "GIGABYTE BRIX UEFI firmware fails to securely implement BIOS write protection"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "GB-BSi7H-6500", "version": {"version_data": [{"affected": "=", "version_affected": "=", "version_name": "F6", "version_value": "F6"}]}}, {"product_name": "GB-BXi7-5775", "version": {"version_data": [{"affected": "=", "version_affected": "=", "version_name": "F2", "version_value": "F2"}]}}]}, "vendor_name": "GIGABYTE"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "GIGABYTE BRIX UEFI firmware for the GB-BSi7H-6500 (version F6) and GB-BXi7-5775 (version F2) platforms does not securely implement BIOSWE, BLE, SMM_BWP, and PRx features. As a result, the BIOS is not protected from arbitrary write access and may permit modifications to the SPI flash."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-693: Protection Mechanism Failure"}]}]}, "references": {"reference_data": [{"name": "https://github.com/CylanceVulnResearch/disclosures/blob/master/CLVA-2017-01-001.md", "refsource": "MISC", "url": "https://github.com/CylanceVulnResearch/disclosures/blob/master/CLVA-2017-01-001.md"}, {"name": "https://github.com/CylanceVulnResearch/disclosures/blob/master/CLVA-2017-01-002.md", "refsource": "MISC", "url": "https://github.com/CylanceVulnResearch/disclosures/blob/master/CLVA-2017-01-002.md"}, {"name": "VU#507496", "refsource": "CERT-VN", "url": "https://www.kb.cert.org/vuls/id/507496"}, {"name": "97294", "refsource": "BID", "url": "http://www.securityfocus.com/bid/97294"}, {"name": "https://www.cylance.com/en_us/blog/gigabyte-brix-systems-vulnerabilities.html", "refsource": "MISC", "url": "https://www.cylance.com/en_us/blog/gigabyte-brix-systems-vulnerabilities.html"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T14:16:28.250Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/CylanceVulnResearch/disclosures/blob/master/CLVA-2017-01-001.md"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/CylanceVulnResearch/disclosures/blob/master/CLVA-2017-01-002.md"}, {"name": "VU#507496", "tags": ["third-party-advisory", "x_refsource_CERT-VN", "x_transferred"], "url": "https://www.kb.cert.org/vuls/id/507496"}, {"name": "97294", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/97294"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.cylance.com/en_us/blog/gigabyte-brix-systems-vulnerabilities.html"}]}]}, "cveMetadata": {"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "assignerShortName": "certcc", "cveId": "CVE-2017-3197", "datePublished": "2018-07-09T19:00:00", "dateReserved": "2016-12-05T00:00:00", "dateUpdated": "2024-08-05T14:16:28.250Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:gigabyte:gb-bsi7h-6500_firmware:f6:*:*:*:*:*:*:*", "matchCriteriaId": "A7A53C8F-B252-4602-9356-F77A7650F5D5", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:gigabyte:gb-bsi7h-6500:-:*:*:*:*:*:*:*", "matchCriteriaId": "5B912BED-19DC-44B7-B06F-4CDF9135FB5B", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:gigabyte:gb-bxi7-5775_firmware:f2:*:*:*:*:*:*:*", "matchCriteriaId": "86E43347-B80C-45F4-AA26-A4ADA1F02CF2", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:gigabyte:gb-bxi7-5775:-:*:*:*:*:*:*:*", "matchCriteriaId": "2564C261-8E5D-4EE6-A785-47DA1E7E0730", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GIGABYTE BRIX UEFI firmware for the GB-BSi7H-6500 (version F6) and GB-BXi7-5775 (version F2) platforms does not securely implement BIOSWE, BLE, SMM_BWP, and PRx features. As a result, the BIOS is not protected from arbitrary write access and may permit modifications to the SPI flash."}, {"lang": "es", "value": "El firmware de GIGABYTE BRIX UEFI para las plataformas GB-BSi7H-6500 (versi\u00f3n F6) y GB-BXi7-5775 (versi\u00f3n F2) no implementa las caracter\u00edsticas BIOSWE, BLE, SMM_BWP, y PRx de manera segura. En consecuencia, la BIOS no est\u00e1 protegida del acceso de escritura arbitraria y podr\u00eda permitir modificaciones en el flash SPI."}], "id": "CVE-2017-3197", "lastModified": "2019-10-09T23:27:21.853", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-07-09T19:29:00.247", "references": [{"source": "cret@cert.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/97294"}, {"source": "cret@cert.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/CylanceVulnResearch/disclosures/blob/master/CLVA-2017-01-001.md"}, {"source": "cret@cert.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/CylanceVulnResearch/disclosures/blob/master/CLVA-2017-01-002.md"}, {"source": "cret@cert.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.cylance.com/en_us/blog/gigabyte-brix-systems-vulnerabilities.html"}, {"source": "cret@cert.org", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.kb.cert.org/vuls/id/507496"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-693"}], "source": "cret@cert.org", "type": "Secondary"}]}