CVE-2022-30283: n/a in n/a
In UsbCoreDxe, tampering with the contents of the USB working buffer using DMA while certain USB transactions are in process leads to a TOCTOU problem that could be used by an attacker to cause SMRAM corruption and escalation of privileges The UsbCoreDxe module creates a working buffer for USB transactions outside of SMRAM. The code which uses can be inside of SMM, making the working buffer untrusted input. The buffer can be corrupted by DMA transfers. The SMM code code attempts to sanitize pointers to ensure all pointers refer to the working buffer, but when a pointer is not found in the list of pointers to sanitize, the current action is not aborted, leading to undefined behavior. This issue was discovered by Insyde engineering based on the general description provided by Intel's iSTARE group. Fixed in: Kernel 5.0: Version 05.09. 21 Kernel 5.1: Version 05.17.21 Kernel 5.2: Version 05.27.21 Kernel 5.3: Version 05.36.21 Kernel 5.4: Version 05.44.21 Kernel 5.5: Version 05.52.21 https://www.insyde.com/security-pledge/SA-2022063
AI Analysis
Technical Summary
CVE-2022-30283 is a high-severity vulnerability affecting the UsbCoreDxe module, which is part of the System Management Mode (SMM) firmware environment. The vulnerability arises from a Time-Of-Check to Time-Of-Use (TOCTOU) race condition involving the USB working buffer used during USB transactions. Specifically, UsbCoreDxe creates a working buffer for USB transactions outside of the System Management RAM (SMRAM), which is a protected memory region used by SMM code. However, the USB working buffer is susceptible to tampering via Direct Memory Access (DMA) by an attacker while USB transactions are in progress. Since the SMM code relies on this buffer and attempts to sanitize pointers referencing it, the vulnerability occurs when a pointer is not found in the list of sanitized pointers. In such cases, the current USB transaction is not aborted, leading to undefined behavior that can result in SMRAM corruption. This corruption can be exploited to escalate privileges from a lower privilege level to SMM, which has the highest privilege on the system. The vulnerability was discovered by Insyde engineering based on Intel's iSTARE group findings and affects multiple kernel versions of the firmware, with fixes released in various kernel versions (5.0 through 5.5). The CVSS 3.1 base score is 7.5, indicating high severity, with the vector indicating local attack vector, high attack complexity, high privileges required, no user interaction, and a scope change with high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild. The root cause is a CWE-367 (Time-of-check Time-of-use race condition). This vulnerability is critical because it targets the SMM, a highly privileged execution environment, and successful exploitation can lead to complete system compromise including bypassing OS-level security controls.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially for enterprises relying on hardware platforms using vulnerable firmware versions with UsbCoreDxe modules. Exploitation can lead to full system compromise by attackers with local access, potentially allowing them to bypass OS security, access sensitive data, implant persistent malware, or disrupt system availability. This is particularly concerning for sectors with high-value targets such as finance, critical infrastructure, government, and defense industries prevalent in Europe. The ability to escalate privileges to SMM can undermine trusted computing bases and hardware root-of-trust mechanisms, complicating incident response and forensic analysis. Since the attack requires local access and DMA capabilities, environments with shared physical access or where malicious insiders or compromised devices exist are at higher risk. The vulnerability could also be leveraged in targeted attacks against European organizations with strategic importance or those using affected hardware platforms. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat due to the high impact and potential for future exploitation.
Mitigation Recommendations
European organizations should prioritize updating firmware to the patched versions as indicated by Insyde and Intel, specifically kernel versions 5.0 (05.09.21) through 5.5 (05.52.21) where fixes have been released. Organizations should work closely with hardware vendors and firmware providers to obtain and deploy these updates promptly. Additionally, restricting physical and local access to critical systems reduces the risk of exploitation since the attack requires local presence and DMA capabilities. Implementing Input-Output Memory Management Units (IOMMUs) can help mitigate unauthorized DMA attacks by restricting device access to memory regions. Monitoring and logging USB device activity and unusual SMM behavior can provide early detection of exploitation attempts. Organizations should also review and harden their supply chain and endpoint security policies to prevent introduction of malicious devices capable of DMA attacks. For highly sensitive environments, consider disabling unused USB ports or employing USB device whitelisting. Finally, maintaining up-to-date asset inventories to identify vulnerable hardware and firmware versions is critical for targeted remediation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Belgium, Sweden, Finland
CVE-2022-30283: n/a in n/a
Description
In UsbCoreDxe, tampering with the contents of the USB working buffer using DMA while certain USB transactions are in process leads to a TOCTOU problem that could be used by an attacker to cause SMRAM corruption and escalation of privileges The UsbCoreDxe module creates a working buffer for USB transactions outside of SMRAM. The code which uses can be inside of SMM, making the working buffer untrusted input. The buffer can be corrupted by DMA transfers. The SMM code code attempts to sanitize pointers to ensure all pointers refer to the working buffer, but when a pointer is not found in the list of pointers to sanitize, the current action is not aborted, leading to undefined behavior. This issue was discovered by Insyde engineering based on the general description provided by Intel's iSTARE group. Fixed in: Kernel 5.0: Version 05.09. 21 Kernel 5.1: Version 05.17.21 Kernel 5.2: Version 05.27.21 Kernel 5.3: Version 05.36.21 Kernel 5.4: Version 05.44.21 Kernel 5.5: Version 05.52.21 https://www.insyde.com/security-pledge/SA-2022063
AI-Powered Analysis
Technical Analysis
CVE-2022-30283 is a high-severity vulnerability affecting the UsbCoreDxe module, which is part of the System Management Mode (SMM) firmware environment. The vulnerability arises from a Time-Of-Check to Time-Of-Use (TOCTOU) race condition involving the USB working buffer used during USB transactions. Specifically, UsbCoreDxe creates a working buffer for USB transactions outside of the System Management RAM (SMRAM), which is a protected memory region used by SMM code. However, the USB working buffer is susceptible to tampering via Direct Memory Access (DMA) by an attacker while USB transactions are in progress. Since the SMM code relies on this buffer and attempts to sanitize pointers referencing it, the vulnerability occurs when a pointer is not found in the list of sanitized pointers. In such cases, the current USB transaction is not aborted, leading to undefined behavior that can result in SMRAM corruption. This corruption can be exploited to escalate privileges from a lower privilege level to SMM, which has the highest privilege on the system. The vulnerability was discovered by Insyde engineering based on Intel's iSTARE group findings and affects multiple kernel versions of the firmware, with fixes released in various kernel versions (5.0 through 5.5). The CVSS 3.1 base score is 7.5, indicating high severity, with the vector indicating local attack vector, high attack complexity, high privileges required, no user interaction, and a scope change with high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild. The root cause is a CWE-367 (Time-of-check Time-of-use race condition). This vulnerability is critical because it targets the SMM, a highly privileged execution environment, and successful exploitation can lead to complete system compromise including bypassing OS-level security controls.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially for enterprises relying on hardware platforms using vulnerable firmware versions with UsbCoreDxe modules. Exploitation can lead to full system compromise by attackers with local access, potentially allowing them to bypass OS security, access sensitive data, implant persistent malware, or disrupt system availability. This is particularly concerning for sectors with high-value targets such as finance, critical infrastructure, government, and defense industries prevalent in Europe. The ability to escalate privileges to SMM can undermine trusted computing bases and hardware root-of-trust mechanisms, complicating incident response and forensic analysis. Since the attack requires local access and DMA capabilities, environments with shared physical access or where malicious insiders or compromised devices exist are at higher risk. The vulnerability could also be leveraged in targeted attacks against European organizations with strategic importance or those using affected hardware platforms. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat due to the high impact and potential for future exploitation.
Mitigation Recommendations
European organizations should prioritize updating firmware to the patched versions as indicated by Insyde and Intel, specifically kernel versions 5.0 (05.09.21) through 5.5 (05.52.21) where fixes have been released. Organizations should work closely with hardware vendors and firmware providers to obtain and deploy these updates promptly. Additionally, restricting physical and local access to critical systems reduces the risk of exploitation since the attack requires local presence and DMA capabilities. Implementing Input-Output Memory Management Units (IOMMUs) can help mitigate unauthorized DMA attacks by restricting device access to memory regions. Monitoring and logging USB device activity and unusual SMM behavior can provide early detection of exploitation attempts. Organizations should also review and harden their supply chain and endpoint security policies to prevent introduction of malicious devices capable of DMA attacks. For highly sensitive environments, consider disabling unused USB ports or employing USB device whitelisting. Finally, maintaining up-to-date asset inventories to identify vulnerable hardware and firmware versions is critical for targeted remediation.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2022-05-04T00:00:00.000Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d983bc4522896dcbee04e
Added to database: 5/21/2025, 9:09:15 AM
Last enriched: 7/2/2025, 4:29:38 AM
Last updated: 8/14/2025, 6:48:10 PM
Views: 13
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.