#VU83486 Unchecked Return Value in edk2 - CVE-2019-14560
Vulnerability identifier: #VU83486
Vulnerability risk: Low
CVSSv4.0: 4 [CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID:
CWE-ID:
CWE-252
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
edk2
Hardware solutions /
Firmware
Vendor: TianoCore
Description
The vulnerability allows a local user to bypass implemented security restrictions.
The vulnerability exists due to an unchecked return value within the DxeImageVerificationHandler() function in SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c. A local user can bypass the secure boot protection.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
edk2: before edk2-stable202305
External links
https://github.com/tianocore/edk2/pull/4155
https://bugzilla.redhat.com/show_bug.cgi?id=1858038
https://bugzilla.tianocore.org/show_bug.cgi?id=2167
https://github.com/tianocore/edk2/pull/4155/commits/2a18d5ce48dcadeb0ab44d463377c6ec90ddce56
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
