Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title UEFI EDK2 Capsule Update vulnerabilities
Informations
Name VU#552286 First vendor Publication 2014-08-07
Vendor VU-CERT Last vendor Modification 2014-10-02
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Overall CVSS Score 6.8
Base Score 6.8 Environmental Score 6.8
impact SubScore 5.9 Temporal Score 6.8
Exploitabality Sub Score 0.9
 
Attack Vector Physical Attack Complexity Low
Privileges Required None User Interaction None
Scope Unchanged Confidentiality Impact High
Integrity Impact High Availability Impact High
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 7.2 Attack Range Local
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 3.9 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#552286

UEFI EDK2 Capsule Update vulnerabilities

Original Release date: 07 Aug 2014 | Last revised: 02 Oct 2014

Overview

The EDK2 UEFI reference implementation contains multiple vulnerabilities in the Capsule Update mechanism.

Description

The open source EDK2 project provides a reference implementation of the Unified Extensible Firmware Interface (UEFI). Researchers at The MITRE Corporation have discovered multiple vulnerabilities in the EDK2 Capsule Update mechanism. Commercial UEFI implementations may incorporate portions of the EDK2 source code, including the vulnerable Capsule Update code.

Buffer overflow in Capsule Processing Phase - CVE-2014-4859
During the Drive Execution Environment (DXE) phase of the UEFI boot process, the contents of the capsule image are parsed during processing. An integer overflow vulnerability exists in the capsule processing phase that can cause the allocation of a buffer to be unexpectedly small. As a result, attacker-controlled data can be written past the bounds of the buffer.

Write-what-where condition in Coalescing Phase - CVE-2014-4860
During the Pre-EFI Initialization (PEI) phase of the UEFI boot process, the capsule update is coalesced into its original form. Multiple integer overflow vulnerabilities exist in the coalescing phase that can be used to trigger a write-what-where condition.

For more details, please refer to MITRE's vulnerability note.

Impact

A local authenticated attacker may be able to execute arbitrary code with the privileges of system firmware, potentially allowing for persistent firmware level rootkits, bypassing of Secure Boot, or permanently DoS'ing the platform.

Solution

Please see the Vendor Information section below to determine if your system may be affected. We are continuing to communicate with vendors as they investigate these vulnerabilities.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
American Megatrends Incorporated (AMI)Affected22 Jul 201401 Aug 2014
Hewlett-Packard CompanyAffected09 Jul 201412 Aug 2014
LenovoAffected22 Jul 201402 Oct 2014
Phoenix Technologies Ltd.Affected22 Jul 201405 Aug 2014
Dell Computer Corporation, Inc.Not Affected22 Jul 201412 Aug 2014
Insyde Software CorporationNot Affected22 Jul 201424 Jul 2014
Intel CorporationNot Affected03 Dec 201319 Sep 2014
Apple Inc.Unknown22 Jul 201422 Jul 2014
IBM CorporationUnknown22 Jul 201422 Jul 2014
NEC CorporationUnknown22 Jul 201422 Jul 2014
Sony CorporationUnknown22 Jul 201422 Jul 2014
ToshibaUnknown22 Jul 201422 Jul 2014
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base6.0AV:L/AC:H/Au:S/C:C/I:C/A:C
Temporal5.4E:POC/RL:ND/RC:C
Environmental7.3CDP:MH/TD:H/CR:ND/IR:H/AR:ND

References

  • http://tianocore.sourceforge.net/wiki/EDK2
  • http://www.uefi.org/
  • https://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/bios-extreme-privilege-escalation

Credit

Thanks to Corey Kallenberg, Xeno Kovah, John Butterworth, and Sam Cornwell of the MITRE Corporation for reporting this vulnerability. Thanks also goes to Intel's Advanced Threat Research and Security Center of Excellence for assisting with industry notification and coordination.

This document was written by Todd Lewellen.

Other Information

  • CVE IDs:CVE-2014-4859CVE-2014-4860
  • Date Public:07 Aug 2014
  • Date First Published:07 Aug 2014
  • Date Last Updated:02 Oct 2014
  • Document Revision:33

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/552286

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-190 Integer Overflow or Wraparound (CWE/SANS Top 25)

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
Date Informations
2020-05-23 13:03:47
  • Multiple Updates
2014-10-02 17:23:17
  • Multiple Updates
2014-09-19 21:22:23
  • Multiple Updates
2014-09-11 21:23:20
  • Multiple Updates
2014-08-12 17:20:25
  • Multiple Updates
2014-08-11 17:20:55
  • Multiple Updates
2014-08-07 21:22:43
  • First insertion