Vulnerability Note VU#552286

UEFI EDK2 Capsule Update vulnerabilities

Original Release date: 07 Aug 2014 | Last revised: 16 Oct 2014

Overview

The EDK2 UEFI reference implementation contains multiple vulnerabilities in the Capsule Update mechanism.

Description

The open source EDK2 project provides a reference implementation of the Unified Extensible Firmware Interface (UEFI). Researchers at The MITRE Corporation have discovered multiple vulnerabilities in the EDK2 Capsule Update mechanism. Commercial UEFI implementations may incorporate portions of the EDK2 source code, including the vulnerable Capsule Update code.

Buffer overflow in Capsule Processing Phase - CVE-2014-4859
During the Drive Execution Environment (DXE) phase of the UEFI boot process, the contents of the capsule image are parsed during processing. An integer overflow vulnerability exists in the capsule processing phase that can cause the allocation of a buffer to be unexpectedly small. As a result, attacker-controlled data can be written past the bounds of the buffer.

Write-what-where condition in Coalescing Phase - CVE-2014-4860
During the Pre-EFI Initialization (PEI) phase of the UEFI boot process, the capsule update is coalesced into its original form. Multiple integer overflow vulnerabilities exist in the coalescing phase that can be used to trigger a write-what-where condition.

For more details, please refer to MITRE's vulnerability note.

Impact

A local authenticated attacker may be able to execute arbitrary code with the privileges of system firmware, potentially allowing for persistent firmware level rootkits, bypassing of Secure Boot, or permanently DoS'ing the platform.

Solution

Please see the Vendor Information section below to determine if your system may be affected. We are continuing to communicate with vendors as they investigate these vulnerabilities.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
American Megatrends Incorporated (AMI)Affected22 Jul 201401 Aug 2014
Hewlett-Packard CompanyAffected09 Jul 201412 Aug 2014
LenovoAffected22 Jul 201402 Oct 2014
Phoenix Technologies Ltd.Affected22 Jul 201405 Aug 2014
Dell Computer Corporation, Inc.Not Affected22 Jul 201416 Oct 2014
Insyde Software CorporationNot Affected22 Jul 201424 Jul 2014
Intel CorporationNot Affected03 Dec 201319 Sep 2014
Apple Inc.Unknown22 Jul 201422 Jul 2014
IBM CorporationUnknown22 Jul 201422 Jul 2014
NEC CorporationUnknown22 Jul 201422 Jul 2014
Sony CorporationUnknown22 Jul 201422 Jul 2014
ToshibaUnknown22 Jul 201422 Jul 2014
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 6.0 AV:L/AC:H/Au:S/C:C/I:C/A:C
Temporal 5.4 E:POC/RL:ND/RC:C
Environmental 7.3 CDP:MH/TD:H/CR:ND/IR:H/AR:ND

References

Credit

Thanks to Corey Kallenberg, Xeno Kovah, John Butterworth, and Sam Cornwell of the MITRE Corporation for reporting this vulnerability. Thanks also goes to Intel's Advanced Threat Research and Security Center of Excellence for assisting with industry notification and coordination.

This document was written by Todd Lewellen.

Other Information

  • CVE IDs: CVE-2014-4859 CVE-2014-4860
  • Date Public: 07 Aug 2014
  • Date First Published: 07 Aug 2014
  • Date Last Updated: 16 Oct 2014
  • Document Revision: 36

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.