Intel Corporation Information for VU#533140
Tianocore UEFI implementation reclaim function vulnerable to buffer overflow
- Vendor Information Help Date Notified: 12 Sep 2014
- Statement Date:
- Date Updated: 19 Dec 2014
The originally reported issue in FSVariable.c only affects functionality where variable storage is emulated by an OS file system; it is not intended for production use. However, the same logic is used in other locations that are used in production.
Intel introduced changes in the EDK2 implementation (SVN 16280) and independently notified OEMs and BIOS vendors about this issue. Note that this issue would not normally be exposed; a separate vulnerability must allow modification of the non-volatile storage usually located on SPI flash, allowing the attacker to introduce valid variable headers after the end of the variable storage area.
At this time, Intel is not aware of any Intel-branded products that are affected by this issue.
We are not aware of further vendor information regarding this vulnerability.
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.