Bug 1858038 (CVE-2019-14560) - CVE-2019-14560 edk2: Function GetEfiGlobalVariable2() return value not checked in DxeImageVerificationHandler()
Summary: CVE-2019-14560 edk2: Function GetEfiGlobalVariable2() return value not checke...
Keywords:
Status: NEW
Alias: CVE-2019-14560
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 1858039 1861743 1858040 1861744 1910520
Blocks: 1858041
TreeView+ depends on / blocked
 
Reported: 2020-07-16 20:59 UTC by Pedro Sampaio
Modified: 2023-07-07 08:31 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
TianoCore 2167 0 None None None 2020-07-17 15:42:55 UTC

Description Pedro Sampaio 2020-07-16 20:59:41 UTC 
A flaw was found in edk2. Function GetEfiGlobalVariable2() return value is not checked possibly leading to secure boot bypass if an attacker
can cause the API to fail.

References:

https://bugzilla.tianocore.org/show_bug.cgi?id=2167
Comment 1 Pedro Sampaio 2020-07-16 21:00:11 UTC 
Created edk2 tracking bugs for this issue:

Affects: epel-all [bug 1858039]
Affects: fedora-all [bug 1858040]
Comment 4 Riccardo Schirone 2020-07-29 12:52:06 UTC 
Proposed patch:
https://bugzilla.tianocore.org/attachment.cgi?id=405&action=diff
Comment 6 Riccardo Schirone 2020-07-29 13:12:56 UTC 
In function DxeImageVerificationHandler() there is a call to GetEfiGlobalVariable2 (EFI_SECURE_BOOT_MODE_NAME, ...) but the return value is not checked. If an attacker is able to cause the API to fail it would allow him to bypass secure boot.
Note You need to log in before you can comment on or make changes to this bug.