Lenovo Security Advisory: LEN-2014-001
Potential Impact: Execution of arbitrary code
The EDK2 UEFI reference implementation contains multiple vulnerabilities in the Capsule Update mechanism.
The open source EDK2 project provides a reference implementation of the Unified Extensible Firmware Interface (UEFI). Multiple vulnerabilities have been discovered in the EDK2 Capsule Update mechanism.
Buffer overflow in Capsule Processing Phase - CVE-2014-4859
During the Drive Execution Environment (DXE) phase of the UEFI boot process, the contents of the capsule image are parsed during processing. An integer overflow vulnerability exists in the capsule processing phase that can cause the allocation of a buffer to be unexpectedly small. As a result, attacker-controlled data can be written past the bounds of the buffer.
Write-what-where condition in Coalescing Phase - CVE-2014-4860
During the Pre-EFI Initialization (PEI) phase of the UEFI boot process, the capsule update is coalesced into its original form. Multiple integer overflow vulnerabilities exist in the coalescing phase that can be used to trigger a write-what-where condition.