Vulnerability Note VU#552286
UEFI EDK2 Capsule Update vulnerabilities
The EDK2 UEFI reference implementation contains multiple vulnerabilities in the Capsule Update mechanism.
The open source EDK2 project provides a reference implementation of the Unified Extensible Firmware Interface (UEFI). Researchers at The MITRE Corporation have discovered multiple vulnerabilities in the EDK2 Capsule Update mechanism. Commercial UEFI implementations may incorporate portions of the EDK2 source code, including the vulnerable Capsule Update code.
Buffer overflow in Capsule Processing Phase - CVE-2014-4859
A local authenticated attacker may be able to execute arbitrary code with the privileges of system firmware, potentially allowing for persistent firmware level rootkits, bypassing of Secure Boot, or permanently DoS'ing the platform.
Please see the Vendor Information section below to determine if your system may be affected. We are continuing to communicate with vendors as they investigate these vulnerabilities.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|American Megatrends Incorporated (AMI)||Affected||22 Jul 2014||01 Aug 2014|
|Hewlett-Packard Company||Affected||09 Jul 2014||12 Aug 2014|
|Lenovo||Affected||22 Jul 2014||02 Oct 2014|
|Phoenix Technologies Ltd.||Affected||22 Jul 2014||05 Aug 2014|
|Dell Computer Corporation, Inc.||Not Affected||22 Jul 2014||16 Oct 2014|
|Insyde Software Corporation||Not Affected||22 Jul 2014||24 Jul 2014|
|Intel Corporation||Not Affected||03 Dec 2013||19 Sep 2014|
|Apple Inc.||Unknown||22 Jul 2014||22 Jul 2014|
|IBM Corporation||Unknown||22 Jul 2014||22 Jul 2014|
|NEC Corporation||Unknown||22 Jul 2014||22 Jul 2014|
|Sony Corporation||Unknown||22 Jul 2014||22 Jul 2014|
|Toshiba||Unknown||22 Jul 2014||22 Jul 2014|
CVSS Metrics (Learn More)
Thanks to Corey Kallenberg, Xeno Kovah, John Butterworth, and Sam Cornwell of the MITRE Corporation for reporting this vulnerability. Thanks also goes to Intel's Advanced Threat Research and Security Center of Excellence for assisting with industry notification and coordination.
This document was written by Todd Lewellen.
- CVE IDs: CVE-2014-4859 CVE-2014-4860
- Date Public: 07 Aug 2014
- Date First Published: 07 Aug 2014
- Date Last Updated: 16 Oct 2014
- Document Revision: 36
If you have feedback, comments, or additional information about this vulnerability, please send us email.