Tianocore UEFI implementation reclaim function vulnerable to buffer overflow

Overview

The reclaim function in the Tianocore open source implementation of UEFI contains a buffer overflow vulnerability.

Description

The open source Tianocore project provides a reference implementation of the Unified Extensible Firmware Interface (UEFI). Some commercial UEFI implementations incorporate portions of the Tianocore source code.

According to Rafal Wojtczuk of Bromium and Corey Kallenberg of The MITRE Corporation, a buffer overflow vulnerability exists in the Reclaim function. Corey Kallenberg describes the vulnerability as follows:

"UEFI utilizes various non-volatile variables to communicate information back and forth between the operating system and the firmware; for instance, boot order, platform language, etc. These non-volatile variables are stored in a file-system like region on the SPI flash chip. This file-system supports many operations such as deleting existing variables, creating new variables, and defragmenting the variable region in order to reclaim unused space. This latter operation is important to ensure that large variables can be created in the event the variable region is resource constrained and fragmented with many unused “free slots.”

We have discovered a buffer overflow associated with this ‘reclaim’ operation."

Please note that this issue is unlikely to be directly exposed to an attacker. In order to exploit this issue, a separate vulnerability must allow prior modification of the SPI flash to enable the attacker to introduce valid variable headers after the end of the variable storage area.

---

Impact

The consequences and exploitability of this bug will vary based on the particular firmware implementation. A local attacker may be able to perform an arbitrary reflash of the platform firmware and escalate privileges or perform a denial of service attack by rendering the system inoperable.

---

Solution

The vulnerable code is patched in EDK2 SVN revision 16280. This issue is still present in EDK1 which is no longer supported. Vendor-specific UEFI fimware derived from Tianocore may be affected.

Please see the Vendor Information section below to determine if your system may be affected. We are continuing to communicate with vendors as they investigate these vulnerabilities.

---

Vendor Information

533140

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Insyde Software Corporation __ Affected

Notified: September 12, 2014 Updated: February 03, 2015

Status

Affected

Vendor Statement

Insyde has reviewed the Insyde BIOS code and believes the variable store is protected by flash write protections. However Insyde did also fix this coding error in late 2012. These updates were in Tags 03.72.49 and 05.02.49 which was the 2012 work week 49 release. The internal tracking number was IB02960648.

In 2014 Intel added some additional suggestions to protect the variable store. Insyde has reviewed the suggestions and in late 2014 implemented the additional suggestions. These later updates were available in Tags 03.74.45 and 05.04.45. The internal tracking number was IB02960684.

OEM and ODM customers are advised to contact their Insyde support representative for documentation and assistance.

End users are advised to contact the manufacturer of their equipment.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

American Megatrends Incorporated (AMI) Not Affected

Notified: September 12, 2014 Updated: December 08, 2014

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Apple Inc. __ Not Affected

Notified: September 12, 2014 Updated: December 16, 2014

Status

Not Affected

Vendor Statement

For the issue reported, it does not affect Apple products.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Dell Computer Corporation, Inc. Not Affected

Notified: September 12, 2014 Updated: January 21, 2015

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM Corporation __ Not Affected

Notified: September 12, 2014 Updated: December 16, 2014

Status

Not Affected

Vendor Statement

Internally, we have assigned PSIRT Advisory 2173 to VU#533140. Our development team analyzed the potential vulnerability, and the results of their analysis were that IBM is not exposed to this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Intel Corporation __ Not Affected

Notified: September 12, 2014 Updated: December 19, 2014

Status

Not Affected

Vendor Statement

The originally reported issue in FSVariable.c only affects functionality where variable storage is emulated by an OS file system; it is not intended for production use. However, the same logic is used in other locations that are used in production.

Intel introduced changes in the EDK2 implementation (SVN 16280) and independently notified OEMs and BIOS vendors about this issue. Note that this issue would not normally be exposed; a separate vulnerability must allow modification of the non-volatile storage usually located on SPI flash, allowing the attacker to introduce valid variable headers after the end of the variable storage area.

At this time, Intel is not aware of any Intel-branded products that are affected by this issue.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Lenovo __ Not Affected

Notified: September 12, 2014 Updated: January 21, 2015

Status

Not Affected

Vendor Statement

<http://support.lenovo.com/us/en/product_security/uefi_variable_reclaim&gt;

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Phoenix Technologies Ltd. __ Not Affected

Notified: September 12, 2014 Updated: December 19, 2014

Status

Not Affected

Vendor Statement

We investigated this item and found none of our current or previously shipped products to be vulnerable.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

AsusTek Computer Inc. Unknown

Notified: September 12, 2014 Updated: September 12, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Gateway Unknown

Notified: September 12, 2014 Updated: September 12, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Hewlett-Packard Company Unknown

Notified: September 12, 2014 Updated: September 12, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Sony Corporation Unknown

Notified: September 12, 2014 Updated: September 12, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Toshiba Unknown

Notified: September 12, 2014 Updated: September 12, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

View all 13 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base	6	AV:L/AC:H/Au:S/C:C/I:C/A:C
Temporal	5.1	E:U/RL:ND/RC:ND
Environmental	3.8	CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

• <https://github.com/tianocore/edk/blob/master/Sample/Universal/Variable/RuntimeDxe/FS/FSVariable.c#L348-L352&gt;
• <http://sourceforge.net/p/edk2/code/16280/&gt;
• <http://tianocore.sourceforge.net/wiki/Security&gt;
• <http://support.lenovo.com/us/en/product_security/uefi_variable_reclaim&gt;

Acknowledgements

Thanks to Rafal Wojtczuk of Bromium and Corey Kallenberg of The MITRE Corporation for reporting this vulnerability.

Other Information

CVE IDs:	CVE-2014-8271
Date Public:	2014-12-28 Date First Published: