Bug 1956284 (CVE-2021-38575)
Summary: | CVE-2021-38575 edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Riccardo Schirone <rschiron> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | berrange, crobinso, dblechte, dfediuck, eedri, kraxel, lersek, mgoldboi, michal.skrivanek, pbonzini, philmd, sbonazzo, security-response-team, sherold, virt-maint, virt-maint, yturgema |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A flaw was found in edk2. Missing checks in the IScsiHexToBin function in NetworkPkg/IScsiDxe lead to a buffer overflow allowing a remote attacker, who can inject himself in the communication between edk2 and the iSCSI target, to write arbitrary data to any address in the edk2 firmware and potentially execute code. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-08-10 19:28:25 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1969442, 1956406, 1956407, 1956408, 1956409, 1956676, 1961100, 1969443, 1971481 | ||
Bug Blocks: | 1935497, 1954596 |
Description
Riccardo Schirone
2021-05-03 11:51:38 UTC
Acknowledgments: Name: Laszlo Ersek (Red Hat) Upstream patches (still under review): https://bugzilla.tianocore.org/show_bug.cgi?id=3356#c5 When edk2 is configured to use iSCSI, it sends a Login Request to the defined target on the network (which can be configured statically or discovered through DHCP). The target and the initiator, implemented in the edk2 firmware, exchanges CHAP messages to authenticate each other or at least the initiator. The target, potentially malicious as its data come from the network, sends a challenge to the target hex-encoded. Function IScsiHexToBin is used to convert this challenge to its binary form. The attacker has control over the content of the input string and its length. The vulnerable function does not check if the data provided is enough or correctly formatted, nor if the output binary buffer is big enough to contain the challenge string provided by the target. Thus the attacker can effectively overwrite memory with whatever data he wants. To trigger this flaw an attacker has to do a Man-in-the-middle attack and modify/inject packets in the communication between the target and the initiator (edk2) or he has to control the target used by the configured firmware (e.g. compromising the server). For these reasons, Attack Complexity is set to High (AC:H). Upstream v2 patches (under review): https://bugzilla.tianocore.org/show_bug.cgi?id=3356#c17 (In reply to Laszlo Ersek from comment #9) > Upstream v2 patches (under review): > https://bugzilla.tianocore.org/show_bug.cgi?id=3356#c17 Review complete; said patches can be backported. Public posting: * [edk2-devel] [PUBLIC edk2 PATCH v2 00/10] NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs Message-Id: <20210608121259.32451-1-lersek> https://listman.redhat.com/archives/edk2-devel-archive/2021-June/msg00316.html https://edk2.groups.io/g/devel/message/76198 Created edk2 tracking bugs for this issue: Affects: epel-all [bug 1969442] Affects: fedora-all [bug 1969443] (In reply to Laszlo Ersek from comment #29) > Public posting: > > * [edk2-devel] [PUBLIC edk2 PATCH v2 00/10] > NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs > > Message-Id: <20210608121259.32451-1-lersek> > https://listman.redhat.com/archives/edk2-devel-archive/2021-June/msg00316.html > https://edk2.groups.io/g/devel/message/76198 Merged as upstream commit range 702ba436ed8e..b8649cf2a3e6, via <https://github.com/tianocore/edk2/pull/1698>. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3066 https://access.redhat.com/errata/RHSA-2021:3066 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:3172 https://access.redhat.com/errata/RHSA-2021:3172 This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 Via RHSA-2021:3235 https://access.redhat.com/errata/RHSA-2021:3235 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:3369 https://access.redhat.com/errata/RHSA-2021:3369 |