Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Tianocore UEFI implementation reclaim function vulnerable to buffer overflow
Informations
Name VU#533140 First vendor Publication 2015-01-05
Vendor VU-CERT Last vendor Modification 2015-02-03
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Overall CVSS Score 6.8
Base Score 6.8 Environmental Score 6.8
impact SubScore 5.9 Temporal Score 6.8
Exploitabality Sub Score 0.9
 
Attack Vector Physical Attack Complexity Low
Privileges Required None User Interaction None
Scope Unchanged Confidentiality Impact High
Integrity Impact High Availability Impact High
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score 4.6 Attack Range Local
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 3.9 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#533140

Tianocore UEFI implementation reclaim function vulnerable to buffer overflow

Original Release date: 05 Jan 2015 | Last revised: 03 Feb 2015

Overview

The reclaim function in the Tianocore open source implementation of UEFI contains a buffer overflow vulnerability.

Description

The open source Tianocore project provides a reference implementation of the Unified Extensible Firmware Interface (UEFI). Some commercial UEFI implementations incorporate portions of the Tianocore source code.

According to Rafal Wojtczuk of Bromium and Corey Kallenberg of The MITRE Corporation, a buffer overflow vulnerability exists in the Reclaim function. Corey Kallenberg describes the vulnerability as follows:

    "UEFI utilizes various non-volatile variables to communicate information back and forth between the operating system and the firmware; for instance, boot order, platform language, etc. These non-volatile variables are stored in a file-system like region on the SPI flash chip. This file-system supports many operations such as deleting existing variables, creating new variables, and defragmenting the variable region in order to reclaim unused space. This latter operation is important to ensure that large variables can be created in the event the variable region is resource constrained and fragmented with many unused "free slots."

    We have discovered a buffer overflow associated with this 'reclaim' operation."

Please note that this issue is unlikely to be directly exposed to an attacker. In order to exploit this issue, a separate vulnerability must allow prior modification of the SPI flash to enable the attacker to introduce valid variable headers after the end of the variable storage area.

Impact

The consequences and exploitability of this bug will vary based on the particular firmware implementation. A local attacker may be able to perform an arbitrary reflash of the platform firmware and escalate privileges or perform a denial of service attack by rendering the system inoperable.

Solution

The vulnerable code is patched in EDK2 SVN revision 16280. This issue is still present in EDK1 which is no longer supported. Vendor-specific UEFI fimware derived from Tianocore may be affected.

Please see the Vendor Information section below to determine if your system may be affected. We are continuing to communicate with vendors as they investigate these vulnerabilities.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Insyde Software CorporationAffected12 Sep 201403 Feb 2015
American Megatrends Incorporated (AMI)Not Affected12 Sep 201408 Dec 2014
Apple Inc.Not Affected12 Sep 201416 Dec 2014
Dell Computer Corporation, Inc.Not Affected12 Sep 201421 Jan 2015
IBM CorporationNot Affected12 Sep 201416 Dec 2014
Intel CorporationNot Affected12 Sep 201419 Dec 2014
LenovoNot Affected12 Sep 201421 Jan 2015
Phoenix Technologies Ltd.Not Affected12 Sep 201419 Dec 2014
AsusTek Computer Inc.Unknown12 Sep 201412 Sep 2014
GatewayUnknown12 Sep 201412 Sep 2014
Hewlett-Packard CompanyUnknown12 Sep 201412 Sep 2014
Sony CorporationUnknown12 Sep 201412 Sep 2014
ToshibaUnknown12 Sep 201412 Sep 2014
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base6.0AV:L/AC:H/Au:S/C:C/I:C/A:C
Temporal5.1E:U/RL:ND/RC:ND
Environmental3.8CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

  • https://github.com/tianocore/edk/blob/master/Sample/Universal/Variable/RuntimeDxe/FS/FSVariable.c#L348-L352
  • http://sourceforge.net/p/edk2/code/16280/
  • http://tianocore.sourceforge.net/wiki/Security
  • http://support.lenovo.com/us/en/product_security/uefi_variable_reclaim

Credit

Thanks to Rafal Wojtczuk of Bromium and Corey Kallenberg of The MITRE Corporation for reporting this vulnerability.

Other Information

  • CVE IDs:CVE-2014-8271
  • Date Public:28 Dec 2014
  • Date First Published:05 Jan 2015
  • Date Last Updated:03 Feb 2015
  • Document Revision:53

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/533140

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') (CWE/SANS Top 25)

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 2

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
Date Informations
2020-05-23 13:03:47
  • Multiple Updates
2015-02-03 17:21:43
  • Multiple Updates
2015-01-21 21:22:14
  • Multiple Updates
2015-01-21 17:21:41
  • Multiple Updates
2015-01-14 21:22:24
  • Multiple Updates
2015-01-12 21:26:29
  • Multiple Updates
2015-01-05 17:22:20
  • First insertion