Main Vulnerability Database Vulnerabilities #VU34845

#VU34845 Integer overflow in edk2 - CVE-2014-4860

Published: January 31, 2020 / Updated: August 8, 2020

Vulnerability identifier: #VU34845

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2014-4860

CWE-ID: CWE-190

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
edk2

Software vendor:
TianoCore

Description

The vulnerability allows a local non-authenticated attacker to execute arbitrary code.

Multiple integer overflows in the Pre-EFI Initialization (PEI) boot phase in the Capsule Update feature in the UEFI implementation in EDK2 allow physically proximate attackers to bypass intended access restrictions by providing crafted data that is not properly handled during the coalescing phase.

Remediation

Install update from vendor's website.

External links

http://www.kb.cert.org/vuls/id/552286