CERTVU:552286UEFI EDK2 Capsule Update vulnerabilities
7.2 High
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
6.8 Medium
CVSS3
Attack Vector
PHYSICAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
33.1%
Overview
The EDK2 UEFI reference implementation contains multiple vulnerabilities in the Capsule Update mechanism.
Description
The open source EDK2 project provides a reference implementation of the Unified Extensible Firmware Interface (UEFI). Researchers at The MITRE Corporation have discovered multiple vulnerabilities in the EDK2 Capsule Update mechanism. Commercial UEFI implementations may incorporate portions of the EDK2 source code, including the vulnerable Capsule Update code.
Buffer overflow in Capsule Processing Phase - CVE-2014-4859
During the Drive Execution Environment (DXE) phase of the UEFI boot process, the contents of the capsule image are parsed during processing. An integer overflow vulnerability exists in the capsule processing phase that can cause the allocation of a buffer to be unexpectedly small. As a result, attacker-controlled data can be written past the bounds of the buffer.
Write-what-where condition in Coalescing Phase - CVE-2014-4860
During the Pre-EFI Initialization (PEI) phase of the UEFI boot process, the capsule update is coalesced into its original form. Multiple integer overflow vulnerabilities exist in the coalescing phase that can be used to trigger a write-what-where condition.
For more details, please refer to MITRE’s vulnerability note.
Impact
A local authenticated attacker may be able to execute arbitrary code with the privileges of system firmware, potentially allowing for persistent firmware level rootkits, bypassing of Secure Boot, or permanently DoS’ing the platform.
Solution
Please see the Vendor Information section below to determine if your system may be affected. We are continuing to communicate with vendors as they investigate these vulnerabilities.
Vendor Information
552286
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
American Megatrends Incorporated (AMI) __ Affected
Notified: July 22, 2014 Updated: August 01, 2014
Status
Affected
Vendor Statement
AMI has addressed the issue on a generic basis and is working with OEMs to implement fixes for projects in the field and production. End users should contact their board manufacturer for information on when a specific updated BIOS will be available.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Apple Inc. Affected
Notified: July 22, 2014 Updated: October 22, 2015
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Dell Computer Corporation, Inc. __ Affected
Notified: July 22, 2014 Updated: October 28, 2014
Status
Affected
Vendor Statement
The security of our systems and customer information is a top priority for Dell. Dell is aware of the recent security concerns that MITRE published, and is reviewing these claims against our products. Dell will take appropriate action to resolve any security related issues found on our products and provide updates to our customers.
The vulnerability outlined by MITRE is not a Dell specific issue, but instead is a larger industry issue. An exploit of this vulnerability would have to be executed on a UEFI installed OS and executed under administrative privileges with driver-level access. Dell recommends that our customers use best security practices and lock down system admin modes as a standard part of their security process.
BIOS Details
Client Solutions (CS) commercial platforms do not use the UEFI code described in the MITRE vulnerability report during any BIOS or firmware update. The code exists in some client systems in a dormant state and may be discovered through binary analysis. Updated BIOS code has been developed to further quarantine this code during the boot process to mitigate any potential for indirect exploit. A list of BIOS update patches is included below for planning purposes and BIOS revisions are included (subject to change):
**Dell System** |
**BIOS Update** |
**Release Planned** |
|---|---|---|
Latitude 13 (3340) |
A03 |
Oct-14 |
Latitude 6430U |
A09 |
Oct-14 |
Latitude E5440/E5540 |
A09 |
Nov-14 |
Latitude E5530/E5430 |
A15 |
Oct-14 |
Latitude E6230/E6330/E6430S |
A14 |
Oct-14 |
Latitude E6530 |
A16 |
Oct-14 |
Latitude E6430 |
A16 |
Oct-14 |
Latitude E6440 |
A09 |
Nov-14 |
Latitude E6540 |
A12 |
Nov-14 |
Latitude E7240/E7440 |
A12 |
Nov-14 |
OptiPlex 3010 |
A13 |
Nov-14 |
OptiPlex 3011 AIO |
A06 |
Oct-14 |
OptiPlex 3020 |
A05 |
Oct-14 |
OptiPlex 7010/9010 |
A19 |
Oct-14 |
OptiPlex 7020/9020 |
A08 |
Oct-14 |
OptiPlex 9010 AIO |
A16 |
Oct-14 |
OptiPlex 9020 AIO |
A09 |
Oct-14 |
Precision Mobile Workstation M4700 |
A13 |
Oct-14 |
Precision Mobile Workstation M6700 |
A14 |
Oct-14 |
Precision Workstation R7610 |
A08 |
Nov-14 |
Precision Workstation T1650 |
A18 |
Nov-14 |
Precision Workstation T1700 |
A11 |
Oct-14 |
Precision Workstation T3610/T5610/T7610 |
A09 |
Nov-14 |
Precision Workstation M6800/M4800 |
A11 |
Nov-14 |
PowerEdge Server T20 |
A06 |
Nov-14 |
Venue 11 Pro (5130-32Bit) |
A09 |
Oct-14 |
Venue 11 Pro (5130-64Bit) |
A02 |
Oct-14 |
Venue 11 Pro (7130/7139) |
A13 |
Oct-14 |
Venue 8 Pro (5830) |
A09 |
Oct-14 |
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Hewlett-Packard Company __ Affected
Notified: July 09, 2014 Updated: August 12, 2014
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
Hewlett-Packard has released a list of affected systems.
Lenovo __ Affected
Notified: July 22, 2014 Updated: October 02, 2014
Status
Affected
Vendor Statement
Lenovo advises customers to view their advisory for more details.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Phoenix Technologies Ltd. __ Affected
Notified: July 22, 2014 Updated: October 28, 2014
Status
Affected
Vendor Statement
“These issues affected our currently shipping SCT3 products and were fixed as of May 23, 2014, and the updates were promptly provided to our customers. We verified that our new SCT4 product is not affected by these issues.”
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
IBM Corporation Not Affected
Notified: July 22, 2014 Updated: July 28, 2015
Statement Date: October 30, 2014
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Insyde Software Corporation __ Not Affected
Notified: July 22, 2014 Updated: February 03, 2015
Status
Not Affected
Vendor Statement
"Insyde has reviewed the Insyde BIOS code and believes that our Capsule Update implementation is not affected by this vulnerability. However some customers might have enabled the TianoCore implementation of Capsule Update. For this reason, Insyde did update to the latest available TianoCore implementation of Capsule Update.
OEM and ODM customers are advised to contact their Insyde support representative for documentation and assistance.
End users are advised to contact the manufacturer of their equipment."
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Intel Corporation Not Affected
Notified: December 03, 2013 Updated: September 19, 2014
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
NEC Corporation Unknown
Notified: July 22, 2014 Updated: July 22, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Sony Corporation Unknown
Notified: July 22, 2014 Updated: July 22, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Toshiba Unknown
Notified: July 22, 2014 Updated: July 22, 2014
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
View all 12 vendors __View less vendors __
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 6 | AV:L/AC:H/Au:S/C:C/I:C/A:C |
| Temporal | 5.4 | E:POC/RL:ND/RC:C |
| Environmental | 7.3 | CDP:MH/TD:H/CR:ND/IR:H/AR:ND |
References
- <http://tianocore.sourceforge.net/wiki/EDK2>
- <http://www.uefi.org/>
- <https://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/bios-extreme-privilege-escalation>
Acknowledgements
Thanks to Corey Kallenberg, Xeno Kovah, John Butterworth, and Sam Cornwell of the MITRE Corporation for reporting this vulnerability. Thanks also goes to Intel’s Advanced Threat Research and Security Center of Excellence for assisting with industry notification and coordination.
This document was written by Todd Lewellen.
Other Information
| CVE IDs: | CVE-2014-4859, CVE-2014-4860 |
|---|---|
| Date Public: | 2014-08-07 Date First Published: |
Related
7.2 High
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
6.8 Medium
CVSS3
Attack Vector
PHYSICAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
33.1%