JVNDB-2015-001002
|
UEFI EDK1 にバッファオーバーフローの脆弱性
|
|
UEFI のリファレンス実装である EDK1 にはバッファオーバーフローの脆弱性が存在します。
オープンソースのプロジェクト EDK1 は Unified Extensible Firmware Interface (UEFI) のリファレンス実装を提供しています。商用の UEFI 実装は EDK1 のソースコードを取り込んでいる可能性があります。Rafal Wojtczuk 氏と Corey Kallenberg 氏の調査によると、Edk1/source/Sample/Universal/Variable/RuntimeDxe/FS/FSVariable.c にはバッファオーバーフローの脆弱性が存在します。
Corey Kallenberg 氏は本脆弱性を次の通り説明しています。
"UEFI utilizes various non-volatile variables to communicate information back and forth between the operating system and the firmware; for instance, boot order, platform language, etc. These non-volatile variables are stored in a file-system like region on the SPI flash chip. This file-system supports many operations such as deleting existing variables, creating new variables, and defragmenting the variable region in order to reclaim unused space. This latter operation is important to ensure that large variables can be created in the event the variable region is resource constrained and fragmented with many unused "free slots."
We have discovered a buffer overflow associated with this "reclaim" operation [in FSVariable.c].
FSVariable.c
https://github.com/tianocore/edk/blob/master/Sample/Universal/Variable/RuntimeDxe/FS/FSVariable.c#L348-L352
In the reclaim operation, there is assumption that by following the chain of variables (by NextVariable = GetNextVariablePtr (Variable), that essentially adds Variable's size to it), we do not jump out of the variable store bounds.
In particular, in line 352, the CurrPtr can extend beyond the legitimate boundaries of the variable region. Ultimately in line 350, we can end up with a memory corruption via buffer overflow."
|
|
CVSS v2 による深刻度
基本値: 6.2 (警告) [IPA値]
- 攻撃元区分: ローカル
- 攻撃条件の複雑さ: 高
- 攻撃前の認証要否: 不要
- 機密性への影響(C): 全面的
- 完全性への影響(I): 全面的
- 可用性への影響(A): 全面的
|
|
EDK1 の下記のソースコードを取り込んでいる UEFI 実装が本脆弱性の影響を受ける可能性があります。
* Edk1/source/Sample/Universal/Variable/RuntimeDxe/FS/FSVariable.c
|
(複数のベンダ)
|
|
|
Rafal Wojtczuk 氏と Corey Kallenberg 氏は脆弱性の影響について次のように述べています。
"The impact of the vulnerability depends on the earliness at which the vulnerable code can be instantiated. Generally, as the boot up of the platform progresses, the platform becomes more and more locked down. Specifically, things like the SPI Flash containing the platform firmware, SMM, and other chipset configurations become locked.
In an ideal (for attacker) scenario, the vulnerable code can be instantiated before the SPI flash is locked down, thus resulting in an arbitrary reflash of the platform firmware.
Another possibility is for the attacker to leverage this vulnerability to get into SMM (if SMM is not sufficiently locked down yet), or to defeat Secure Boot and launch an authorized boot loader.
It is also possible that this code is copied into SMM to support the ability to create/modify authenticated variables at runtime, in which case, the vulnerability could be exploited to achieve a runtime SMM break-in.
The consequences and exploitablity of this bug will vary based on the OEM's firmware implementation."
|
|
開発者が提供する情報や CERT/CC Vulnerability Note VU#533140 の Vendor Information に掲載されている情報を参考に、対策方法を検討してください。CERT/CC では、引き続き UEFI に関する脆弱性について開発者との調整を進めています。
VU#533140 の Vendor Information
http://www.kb.cert.org/vuls/id/533140#vendors
|
|
|
|
|
|
- CVE-2014-8271
|
|
- JVN : JVNVU#91111635
- National Vulnerability Database (NVD) : CVE-2014-8271
- US-CERT Vulnerability Note : VU#533140
- US-CERT Vulnerability Note : Insyde Software Corporation Information for VU#533140
- 関連文書 : GitHub:edk/Sample/Universal/Variable/RuntimeDxe/FS/FSVariable.c
|
|
|
