Bug 1758518 (CVE-2019-14553) - CVE-2019-14553 edk2: invalid server certificate accepted in HTTPS-over-IPv6 boot
Summary: CVE-2019-14553 edk2: invalid server certificate accepted in HTTPS-over-IPv6 boot
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2019-14553
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1758521 1758519
Blocks: 1722139
TreeView+ depends on / blocked
 
Reported: 2019-10-04 12:31 UTC by Riccardo Schirone
Modified: 2019-11-07 18:51 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-11-07 18:51:10 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
TianoCore 960 None None None 2019-10-04 17:44:57 UTC

Description Riccardo Schirone 2019-10-04 12:31:11 UTC
edk2 accepts invalid certificates in HTTPS-over-IPv6 boot, which would allow an attacker to perform a man-in-the-middle attack even when HTTPS is used. In particular, the Common Name (CN) of the certificate is not correctly checked, thus the boot succeeds even if it should not be performed.

Upstream issue:
https://bugzilla.tianocore.org/show_bug.cgi?id=960

Comment 1 Riccardo Schirone 2019-10-04 12:31:34 UTC
Created edk2 tracking bugs for this issue:

Affects: epel-all [bug 1758521]
Affects: fedora-all [bug 1758519]

Comment 2 Riccardo Schirone 2019-10-04 12:34:16 UTC
Proposed upstream patch:
https://www.mail-archive.com/devel@edk2.groups.io/msg09286.html

Comment 4 Riccardo Schirone 2019-11-06 14:14:06 UTC
Upstream fix:
https://github.com/tianocore/edk2/compare/b15646484eaf...e2fc50812895

Comment 7 Riccardo Schirone 2019-11-07 13:09:03 UTC
Statement:

This issue did not affect the versions of edk2/ovmf as shipped with Red Hat Enterprise Linux 7, and 8 as they did not include support for HTTP boot nor TLS. Compile time options HTTP_BOOT_ENABLE and TLS_ENABLE are both disabled in the shipped packages.

Comment 8 Product Security DevOps Team 2019-11-07 18:51:10 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14553


Note You need to log in before you can comment on or make changes to this bug.