CVE-2022-34302

A flaw was found in New Horizon Datasys bootloaders before 2022-06-01. An attacker may use this bootloader to bypass or tamper with Secure Boot protections. In order to load and execute arbitrary code in the pre-boot stage, an attacker simply needs to replace the existing signed bootloader currently in use with this bootloader. Access to the EFI System Partition is required for booting using external media.

Published: Aug 26, 2022
Updated: Apr 14, 2023
CVE: CVE-2022-34302
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.7
AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
horizondatasys / uefi_bootloader	-	2022-06-01
redhat / enterprise_linux	7.0	7.0.x
redhat / enterprise_linux	8.0	8.0.x
redhat / enterprise_linux	9.0	9.0.x
microsoft / windows_server_2012	r2	r2.x
microsoft / windows_10	1607	1607.x
microsoft / windows_10	1809	1809.x
microsoft / windows_10	20h2	20h2.x
microsoft / windows_server_2016	20h2	20h2.x
microsoft / windows_10	21h1	21h1.x
microsoft / windows_10	21h2	21h2.x

Vulnerability Database

290,301

CVE-2022-34302