Function IscsiMisc.c:IScsiHexToBin() in NetworkPkg/IScsiDxe does not correctly check the sizes of the input and output buffers, allowing an attacker who can control the input buffer to cause a buffer overflow in the destination buffer. Function IScsiHexToBin is used to decode strings passed as part of iSCSI Challenge-Handshake Authentication Protocol(CHAP), before authentication takes place. Thus an attacker, who can either inject himself in the communication between edk2 and the iSCSI target or control the iSCSI target used by edk2, can trigger this flaw and potentially execute code in the edk2 firmware. Upstream bug: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
Acknowledgments: Name: Laszlo Ersek (Red Hat)
Upstream patches (still under review): https://bugzilla.tianocore.org/show_bug.cgi?id=3356#c5
When edk2 is configured to use iSCSI, it sends a Login Request to the defined target on the network (which can be configured statically or discovered through DHCP). The target and the initiator, implemented in the edk2 firmware, exchanges CHAP messages to authenticate each other or at least the initiator. The target, potentially malicious as its data come from the network, sends a challenge to the target hex-encoded. Function IScsiHexToBin is used to convert this challenge to its binary form. The attacker has control over the content of the input string and its length. The vulnerable function does not check if the data provided is enough or correctly formatted, nor if the output binary buffer is big enough to contain the challenge string provided by the target. Thus the attacker can effectively overwrite memory with whatever data he wants.
To trigger this flaw an attacker has to do a Man-in-the-middle attack and modify/inject packets in the communication between the target and the initiator (edk2) or he has to control the target used by the configured firmware (e.g. compromising the server). For these reasons, Attack Complexity is set to High (AC:H).
Upstream v2 patches (under review): https://bugzilla.tianocore.org/show_bug.cgi?id=3356#c17
(In reply to Laszlo Ersek from comment #9) > Upstream v2 patches (under review): > https://bugzilla.tianocore.org/show_bug.cgi?id=3356#c17 Review complete; said patches can be backported.
Public posting: * [edk2-devel] [PUBLIC edk2 PATCH v2 00/10] NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs Message-Id: <20210608121259.32451-1-lersek> https://listman.redhat.com/archives/edk2-devel-archive/2021-June/msg00316.html https://edk2.groups.io/g/devel/message/76198
Created edk2 tracking bugs for this issue: Affects: epel-all [bug 1969442] Affects: fedora-all [bug 1969443]
(In reply to Laszlo Ersek from comment #29) > Public posting: > > * [edk2-devel] [PUBLIC edk2 PATCH v2 00/10] > NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs > > Message-Id: <20210608121259.32451-1-lersek> > https://listman.redhat.com/archives/edk2-devel-archive/2021-June/msg00316.html > https://edk2.groups.io/g/devel/message/76198 Merged as upstream commit range 702ba436ed8e..b8649cf2a3e6, via <https://github.com/tianocore/edk2/pull/1698>.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3066 https://access.redhat.com/errata/RHSA-2021:3066
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:3172 https://access.redhat.com/errata/RHSA-2021:3172
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 Via RHSA-2021:3235 https://access.redhat.com/errata/RHSA-2021:3235
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:3369 https://access.redhat.com/errata/RHSA-2021:3369