search menu icon-carat-right cmu-wordmark

CERT Coordination Center

UEFI EDK2 Capsule Update vulnerabilities

Vulnerability Note VU#552286

Original Release Date: 2014-08-07 | Last Revised: 2015-10-22

Overview

The EDK2 UEFI reference implementation contains multiple vulnerabilities in the Capsule Update mechanism.

Description

The open source EDK2 project provides a reference implementation of the Unified Extensible Firmware Interface (UEFI). Researchers at The MITRE Corporation have discovered multiple vulnerabilities in the EDK2 Capsule Update mechanism. Commercial UEFI implementations may incorporate portions of the EDK2 source code, including the vulnerable Capsule Update code.

Buffer overflow in Capsule Processing Phase - CVE-2014-4859
During the Drive Execution Environment (DXE) phase of the UEFI boot process, the contents of the capsule image are parsed during processing. An integer overflow vulnerability exists in the capsule processing phase that can cause the allocation of a buffer to be unexpectedly small. As a result, attacker-controlled data can be written past the bounds of the buffer.

Write-what-where condition in Coalescing Phase - CVE-2014-4860
During the Pre-EFI Initialization (PEI) phase of the UEFI boot process, the capsule update is coalesced into its original form. Multiple integer overflow vulnerabilities exist in the coalescing phase that can be used to trigger a write-what-where condition.

For more details, please refer to MITRE's vulnerability note.

Impact

A local authenticated attacker may be able to execute arbitrary code with the privileges of system firmware, potentially allowing for persistent firmware level rootkits, bypassing of Secure Boot, or permanently DoS'ing the platform.

Solution

Please see the Vendor Information section below to determine if your system may be affected. We are continuing to communicate with vendors as they investigate these vulnerabilities.

Vendor Information

552286
 

View all 12 vendors View less vendors


CVSS Metrics

Group Score Vector
Base 6 AV:L/AC:H/Au:S/C:C/I:C/A:C
Temporal 5.4 E:POC/RL:ND/RC:C
Environmental 7.3 CDP:MH/TD:H/CR:ND/IR:H/AR:ND

References

Acknowledgements

Thanks to Corey Kallenberg, Xeno Kovah, John Butterworth, and Sam Cornwell of the MITRE Corporation for reporting this vulnerability. Thanks also goes to Intel's Advanced Threat Research and Security Center of Excellence for assisting with industry notification and coordination.

This document was written by Todd Lewellen.

Other Information

CVE IDs: CVE-2014-4859, CVE-2014-4860
Date Public: 2014-08-07
Date First Published: 2014-08-07
Date Last Updated: 2015-10-22 16:04 UTC
Document Revision: 42

Sponsored by CISA.