Vulnerability Note VU#533140
Tianocore UEFI implementation reclaim function vulnerable to buffer overflow
The reclaim function in the Tianocore open source implementation of UEFI contains a buffer overflow vulnerability.
The open source Tianocore project provides a reference implementation of the Unified Extensible Firmware Interface (UEFI). Some commercial UEFI implementations incorporate portions of the Tianocore source code.
According to Rafal Wojtczuk of Bromium and Corey Kallenberg of The MITRE Corporation, a buffer overflow vulnerability exists in the Reclaim function. Corey Kallenberg describes the vulnerability as follows:
We have discovered a buffer overflow associated with this 'reclaim' operation."
Please note that this issue is unlikely to be directly exposed to an attacker. In order to exploit this issue, a separate vulnerability must allow prior modification of the SPI flash to enable the attacker to introduce valid variable headers after the end of the variable storage area.
The consequences and exploitability of this bug will vary based on the particular firmware implementation. A local attacker may be able to perform an arbitrary reflash of the platform firmware and escalate privileges or perform a denial of service attack by rendering the system inoperable.
The vulnerable code is patched in EDK2 SVN revision 16280. This issue is still present in EDK1 which is no longer supported. Vendor-specific UEFI fimware derived from Tianocore may be affected.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Insyde Software Corporation||Affected||12 Sep 2014||03 Feb 2015|
|American Megatrends Incorporated (AMI)||Not Affected||12 Sep 2014||08 Dec 2014|
|Apple Inc.||Not Affected||12 Sep 2014||16 Dec 2014|
|Dell Computer Corporation, Inc.||Not Affected||12 Sep 2014||21 Jan 2015|
|IBM Corporation||Not Affected||12 Sep 2014||16 Dec 2014|
|Intel Corporation||Not Affected||12 Sep 2014||19 Dec 2014|
|Lenovo||Not Affected||12 Sep 2014||21 Jan 2015|
|Phoenix Technologies Ltd.||Not Affected||12 Sep 2014||19 Dec 2014|
|AsusTek Computer Inc.||Unknown||12 Sep 2014||12 Sep 2014|
|Gateway||Unknown||12 Sep 2014||12 Sep 2014|
|Hewlett-Packard Company||Unknown||12 Sep 2014||12 Sep 2014|
|Sony Corporation||Unknown||12 Sep 2014||12 Sep 2014|
|Toshiba||Unknown||12 Sep 2014||12 Sep 2014|
CVSS Metrics (Learn More)
Thanks to Rafal Wojtczuk of Bromium and Corey Kallenberg of The MITRE Corporation for reporting this vulnerability.
- CVE IDs: CVE-2014-8271
- Date Public: 28 Dec 2014
- Date First Published: 05 Jan 2015
- Date Last Updated: 03 Feb 2015
- Document Revision: 53
If you have feedback, comments, or additional information about this vulnerability, please send us email.