UEFI EDK2 Capsule Update Vulnerabilities

2016-07-22T00:00:00
ID LENOVO:PS500040-NOSID
Type lenovo
Reporter Lenovo
Modified 2016-07-22T00:00:00

Description

Lenovo Security Advisory: LEN-2014-001

Potential Impact: Execution of arbitrary code

Severity: Medium

Summary:
The EDK2 UEFI reference implementation contains multiple vulnerabilities in the Capsule Update mechanism.

Description:
The open source EDK2 project provides a reference implementation of the Unified Extensible Firmware Interface (UEFI). Multiple vulnerabilities have been discovered in the EDK2 Capsule Update mechanism.

Buffer overflow in Capsule Processing Phase - CVE-2014-4859
During the Drive Execution Environment (DXE) phase of the UEFI boot process, the contents of the capsule image are parsed during processing. An integer overflow vulnerability exists in the capsule processing phase that can cause the allocation of a buffer to be unexpectedly small. As a result, attacker-controlled data can be written past the bounds of the buffer.

Write-what-where condition in Coalescing Phase - CVE-2014-4860
During the Pre-EFI Initialization (PEI) phase of the UEFI boot process, the capsule update is coalesced into its original form. Multiple integer overflow vulnerabilities exist in the coalescing phase that can be used to trigger a write-what-where condition.