The EDK2 UEFI reference implementation contains multiple vulnerabilities in the Capsule Update mechanism.
The open source EDK2 project provides a reference implementation of the Unified Extensible Firmware Interface (UEFI). Researchers at The MITRE Corporation have discovered multiple vulnerabilities in the EDK2 Capsule Update mechanism. Commercial UEFI implementations may incorporate portions of the EDK2 source code, including the vulnerable Capsule Update code.
Buffer overflow in Capsule Processing Phase - CVE-2014-4859
A local authenticated attacker may be able to execute arbitrary code with the privileges of system firmware, potentially allowing for persistent firmware level rootkits, bypassing of Secure Boot, or permanently DoS'ing the platform.
Please see the Vendor Information section below to determine if your system may be affected. We are continuing to communicate with vendors as they investigate these vulnerabilities.
Apple Inc. Affected
Dell Computer Corporation, Inc. Affected
Hewlett-Packard Company Affected
Phoenix Technologies Ltd. Affected
IBM Corporation Not Affected
Insyde Software Corporation Not Affected
Intel Corporation Not Affected
NEC Corporation Unknown
Sony Corporation Unknown
Thanks to Corey Kallenberg, Xeno Kovah, John Butterworth, and Sam Cornwell of the MITRE Corporation for reporting this vulnerability. Thanks also goes to Intel's Advanced Threat Research and Security Center of Excellence for assisting with industry notification and coordination.
This document was written by Todd Lewellen.