1883532 – (CVE-2019-14576) CVE-2019-14576 edk2: DataDirectory security table element does not get included in signature verification

Bug 1883532 (CVE-2019-14576) - CVE-2019-14576 edk2: DataDirectory security table element does not get included in signature verification

Summary: CVE-2019-14576 edk2: DataDirectory security table element does not get includ...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2019-14576
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1883558
TreeView+	depends on / blocked

Reported:	2020-09-29 13:49 UTC by Guilherme de Almeida Suckevicz
Modified:	2023-03-01 05:56 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-02-03 13:52:36 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
TianoCore	2213	0	None	None	None	2020-10-01 08:03:00 UTC

Description Guilherme de Almeida Suckevicz 2020-09-29 13:49:45 UTC

The PE32/PE32+/TE image formats contain an EFI_IMAGE_DATA_DIRECTORY[] array that can contain an EFI_IMAGE_DIRECTORY_ENTRY_SECURITY element. This element in the array, and the content it describes are not included in the signature verification. The content describes one or more WIN_CERTIFICATES that are used in signature verification.

For obvious reasons the content itself cannot be part of the signature check (else by calculating it, it would change the signature itself). However, the DataDirectory entry itself, could be part of the signature check. It is currently not the case.

Because it's not, it gives an attacker a lot of leaway to take an existing validly signed .efi, make the room for the EFI_IMAGE_DIRECTORY_ENTRY_SECURITY content larger, and start adding content to it, while still leaving the WIN_CERTIFICATE in tact enough to pass signature verification. This would allow an attacker to get arbitrary content inside of the the EFI_IMAGE_DIRECTORY_ENTRY_SECURITY content mapped into memory, presumably with RWX or RX page protections. Hence having shellcode ready to go, in case an exploit is found somewhere (bypassing exploit mitigations).

Reference:
https://bugzilla.tianocore.org/show_bug.cgi?id=2213

Comment 5 Riccardo Schirone 2021-02-03 13:52:36 UTC

Closing this bug as WONTFIX because this is not going to be considered as a vulnerability, given that to exploit this you need another existing vulnerability. This is more of a second security layer/hardening feature.

Note You need to log in before you can comment on or make changes to this bug.