Bug 1858038 (CVE-2019-14560)

Summary: CVE-2019-14560 edk2: Function GetEfiGlobalVariable2() return value not checked in DxeImageVerificationHandler()
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: berrange, crobinso, kraxel, pbonzini, virt-maint, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
[REJECTED CVE] A secure boot bypass vulnerability was found in EDK2 due to the lack of proper return value checks in the GetEfiGlobalVariable2() function. The API may fail if functions like AllocatePool() or gRT->GetVariable() fail. Without verifying the return value, an attacker could cause the API to fail, potentially bypassing secure boot. This issue occurs in functions like DxeImageVerificationHandler, where the return value is not checked.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1858039, 1858040, 1861743, 1861744, 1910520    
Bug Blocks: 1858041    

Description Pedro Sampaio 2020-07-16 20:59:41 UTC 
A flaw was found in edk2. Function GetEfiGlobalVariable2() return value is not checked possibly leading to secure boot bypass if an attacker
can cause the API to fail.

References:

https://bugzilla.tianocore.org/show_bug.cgi?id=2167
Comment 1 Pedro Sampaio 2020-07-16 21:00:11 UTC 
Created edk2 tracking bugs for this issue:

Affects: epel-all [bug 1858039]
Affects: fedora-all [bug 1858040]
Comment 4 Riccardo Schirone 2020-07-29 12:52:06 UTC 
Proposed patch:
https://bugzilla.tianocore.org/attachment.cgi?id=405&action=diff
Comment 6 Riccardo Schirone 2020-07-29 13:12:56 UTC 
In function DxeImageVerificationHandler() there is a call to GetEfiGlobalVariable2 (EFI_SECURE_BOOT_MODE_NAME, ...) but the return value is not checked. If an attacker is able to cause the API to fail it would allow him to bypass secure boot.
Comment 11 errata-xmlrpc 2023-11-07 08:12:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6330 https://access.redhat.com/errata/RHSA-2023:6330
Comment 12 errata-xmlrpc 2023-11-14 15:16:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:6919 https://access.redhat.com/errata/RHSA-2023:6919
Comment 14 errata-xmlrpc 2024-01-24 16:41:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0408 https://access.redhat.com/errata/RHSA-2024:0408
Comment 16 errata-xmlrpc 2024-03-19 17:30:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:1415 https://access.redhat.com/errata/RHSA-2024:1415