Headline
Ubuntu Security Notice USN-6920-1
Ubuntu Security Notice 6920-1 - It was discovered that EDK II was not properly performing bounds checks in Tianocompress, which could lead to a buffer overflow. An authenticated user could use this issue to potentially escalate their privileges via local access. It was discovered that EDK II had an insufficient memory write check in the SMM service, which could lead to a page fault occurring. An authenticated user could use this issue to potentially escalate their privileges, disclose information and/or create a denial of service via local access.
==========================================================================
Ubuntu Security Notice USN-6920-1
July 29, 2024
edk2 vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in EDK II.
Software Description:
- edk2: UEFI firmware for virtual machines
Details:
It was discovered that EDK II was not properly performing bounds checks
in Tianocompress, which could lead to a buffer overflow. An authenticated
user could use this issue to potentially escalate their privileges via
local access. (CVE-2017-5731)
It was discovered that EDK II had an insufficient memory write check in
the SMM service, which could lead to a page fault occurring. An
authenticated user could use this issue to potentially escalate their
privileges, disclose information and/or create a denial of service via
local access. (CVE-2018-12182)
It was discovered that EDK II incorrectly handled memory in DxeCore, which
could lead to a stack overflow. An unauthenticated user could this
issue to potentially escalate their privileges, disclose information
and/or create a denial of service via local access. This issue only
affected Ubuntu 18.04 LTS. (CVE-2018-12183)
It was discovered that EDK II incorrectly handled memory in the
Variable service under certain circumstances. An authenticated user could
use this issue to potentially escalate their privileges, disclose
information and/or create a denial of service via local access.
(CVE-2018-3613)
It was discovered that EDK II incorrectly handled memory in its system
firmware, which could lead to a buffer overflow. An unauthenticated user
could use this issue to potentially escalate their privileges and/or
create a denial of service via network access. This issue only affected
Ubuntu 18.04 LTS. (CVE-2019-0160)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS
ovmf 0~20180205.c0d9813c-2ubuntu0.3+esm1
Available with Ubuntu Pro
qemu-efi 0~20180205.c0d9813c-2ubuntu0.3+esm1
Available with Ubuntu Pro
qemu-efi-aarch64 0~20180205.c0d9813c-2ubuntu0.3+esm1
Available with Ubuntu Pro
qemu-efi-arm 0~20180205.c0d9813c-2ubuntu0.3+esm1
Available with Ubuntu Pro
Ubuntu 16.04 LTS
ovmf 0~20160408.ffea0a2c-2ubuntu0.2+esm1
Available with Ubuntu Pro
qemu-efi 0~20160408.ffea0a2c-2ubuntu0.2+esm1
Available with Ubuntu Pro
After a standard system update you need to restart the virtual machines
that use the affected firmware to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6920-1
CVE-2017-5731, CVE-2018-12182, CVE-2018-12183, CVE-2018-3613,
CVE-2019-0160
Related news
Buffer overflow in system firmware for EDK II may allow unauthenticated user to potentially enable escalation of privilege and/or denial of service via network access.