Red Hat Security Advisory 2024-4036-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 8. Issues addressed include bypass and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4036.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: thunderbird security update  
Advisory ID:        RHSA-2024:4036-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:4036  
Issue date:         2024-06-20  
Revision:           03  
CVE Names:          CVE-2024-5688  
====================================================================

Summary: 

An update for thunderbird is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of  
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 115.12.1.

Security Fix(es):

* thunderbird: Use-after-free in networking (CVE-2024-5702)

* thunderbird: Use-after-free in JavaScript object transplant (CVE-2024-5688)

* thunderbird: External protocol handlers leaked by timing attack (CVE-2024-5690)

* thunderbird:  Sandboxed iframes were able to bypass sandbox restrictions to open a new window (CVE-2024-5691)

* thunderbird: Cross-Origin Image leak via Offscreen Canvas (CVE-2024-5693)

* thunderbird: Memory Corruption in Text Fragments (CVE-2024-5696)

* thunderbird: Memory safety bugs fixed in Firefox 127, Firefox ESR 115.12, and Thunderbird 115.12 (CVE-2024-5700)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-5688

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2291394  
https://bugzilla.redhat.com/show_bug.cgi?id=2291395  
https://bugzilla.redhat.com/show_bug.cgi?id=2291396  
https://bugzilla.redhat.com/show_bug.cgi?id=2291397  
https://bugzilla.redhat.com/show_bug.cgi?id=2291399  
https://bugzilla.redhat.com/show_bug.cgi?id=2291400  
https://bugzilla.redhat.com/show_bug.cgi?id=2291401

Red Hat Security Advisory 2024-4036-03

Red Hat Security Advisory 2024-4035-03 - An update for ovn-2021 is now available in Fast Datapath for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4035.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: ovn-2021 security updateAdvisory ID:        RHSA-2024:4035-03Product:            Fast DatapathAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4035Issue date:         2024-06-20Revision:           03CVE Names:          CVE-2024-2182====================================================================Summary: An update for ovn-2021 is now available in Fast Datapath for Red HatEnterprise Linux 8.Red Hat Product Security has rated this update as having a security impact ofImportant. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:OVN, the Open Virtual Network, is a system to support virtual networkabstraction.  OVN complements the existing capabilities of OVS to addnative support for virtual network abstractions, such as virtual L2 and L3overlays and security groups.Security fix(es):* ovn-2021: insufficient validation of BFD packets may lead to denial of service (CVE-2024-2182)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-2182References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2267840

Red Hat Security Advisory 2024-4035-03

Red Hat Security Advisory 2024-4034-03 - OpenShift container images for the Red Hat Service Interconnect 1.5 release. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4034.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Red Hat Service Interconnect 1.5.4 Release security update (images)Advisory ID:        RHSA-2024:4034-03Product:            Red Hat Service InterconnectAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4034Issue date:         2024-06-20Revision:           03CVE Names:          CVE-2023-45288====================================================================Summary: OpenShift container images for the Red Hat Service Interconnect 1.5 release.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat Service Interconnect 1.5 creates a service network, linking TCP and HTTP services across the hybrid cloud.A service network enables communication between services running in different network locations or sites.It allows geographically distributed services to connect as if they were all running in the same site.Security Fix(es):* golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS (CVE-2023-45288)* golang: crypto/x509: Verify panics on certificates with an unknown public key algorithm (CVE-2024-24783)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-45288References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2268019https://bugzilla.redhat.com/show_bug.cgi?id=2268273https://issues.redhat.com/browse/SKUPPER-1705https://issues.redhat.com/browse/SKUPPER-1812

Red Hat Security Advisory 2024-4034-03

Red Hat Security Advisory 2024-4028-03 - Red Hat OpenShift Serverless version 1.33.0 is now available.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4028.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: Release of OpenShift Serverless 1.33.0 security update & enhancementsAdvisory ID:        RHSA-2024:4028-03Product:            Red Hat OpenShift ServerlessAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4028Issue date:         2024-06-20Revision:           03CVE Names:          CVE-2023-45289====================================================================Summary: Red Hat OpenShift Serverless version 1.33.0 is now available.Red Hat Product Security has rated this update as having a security impact ofModerate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.Description:Version 1.33.0 of the OpenShift Serverless Operator is supported on Red HatOpenShift Container Platform versions 4.12, 4.13, 4.14, 4.15 and 4.16This release includes security, bug fixes, and enhancements.Security Fix(es):* golang: net/mail: comments in display names are incorrectly handled (CVE-2024-24784)* golang: crypto/x509: Verify panics on certificates with an unknown public key algorithm (CVE-2024-24783)* quarkus-core: Leak of local configuration properties into Quarkus applications (CVE-2024-2700) * netty-codec-http: Allocation of Resources Without Limits or Throttling (CVE-2024-29025)* golang: html/template: errors returned from MarshalJSON methods may break template escaping (CVE-2024-24785)* golang: net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect (CVE-2023-45289)* golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON (CVE-2024-24786)* jose-go: improper handling of highly compressed data (CVE-2024-28180)For more details about the security issues, including the impact, a CVSS score, acknowledgements, and other related information, refer to the CVE pages listed in the References section.Solution:https://access.redhat.com/documentation/en-us/red_hat_openshift_serverless/1.33CVEs:CVE-2023-45289References:https://access.redhat.com/security/updates/classification/#moderatehttps://access.redhat.com/documentation/en-us/red_hat_openshift_serverless/1.33https://bugzilla.redhat.com/show_bug.cgi?id=2268018https://bugzilla.redhat.com/show_bug.cgi?id=2268019https://bugzilla.redhat.com/show_bug.cgi?id=2268021https://bugzilla.redhat.com/show_bug.cgi?id=2268022https://bugzilla.redhat.com/show_bug.cgi?id=2268046https://bugzilla.redhat.com/show_bug.cgi?id=2268854https://bugzilla.redhat.com/show_bug.cgi?id=2272907https://bugzilla.redhat.com/show_bug.cgi?id=2273281https://bugzilla.redhat.com/show_bug.cgi?id=2277864https://bugzilla.redhat.com/show_bug.cgi?id=2277865

Red Hat Security Advisory 2024-4028-03

Red Hat Security Advisory 2024-4023-03 - Red Hat openshift-serverless-clients kn 1.33.0 is now available. Issues addressed include denial of service and memory exhaustion vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4023.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Release of openshift-serverless-clients kn 1.33.0 security update & enhancementsAdvisory ID:        RHSA-2024:4023-03Product:            Red Hat OpenShift ServerlessAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4023Issue date:         2024-06-20Revision:           03CVE Names:          CVE-2023-45288====================================================================Summary: Red Hat openshift-serverless-clients kn 1.33.0 is now available.Red Hat Product Security has rated this update as having a security impact ofImportant. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.Description:Red Hat OpenShift Serverless Client kn 1.33.0 provides a CLI to interact withRed Hat OpenShift Serverless 1.33.0. The kn CLI is delivered as an RPM packagefor installation on RHEL platforms, and as binaries for non-Linux platforms.This release includes security, bug fixes, and enhancements.Security Fix(es):* golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS (CVE-2023-45288)* golang: html/template: errors returned from MarshalJSON methods may break template escaping (CVE-2024-24785)* golang: net/mail: comments in display names are incorrectly handled (CVE-2024-24784)* golang: crypto/x509: Verify panics on certificates with an unknown public key algorithm (CVE-2024-24783)* golang: net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect (CVE-2023-45289)* golang: net/http: memory exhaustion in Request.ParseMultipartForm (CVE-2023-45290)A Red Hat Security Bulletin, which addresses further details about the RapidReset flaw is available in the References section.For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/documentation/en-us/red_hat_openshift_serverless/1CVEs:CVE-2023-45288References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/documentation/en-us/red_hat_openshift_serverless/1https://bugzilla.redhat.com/show_bug.cgi?id=2268017https://bugzilla.redhat.com/show_bug.cgi?id=2268018https://bugzilla.redhat.com/show_bug.cgi?id=2268019https://bugzilla.redhat.com/show_bug.cgi?id=2268021https://bugzilla.redhat.com/show_bug.cgi?id=2268022https://bugzilla.redhat.com/show_bug.cgi?id=2268273https://bugzilla.redhat.com/show_bug.cgi?id=2277862

Red Hat Security Advisory 2024-4023-03

Red Hat Security Advisory 2024-4018-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include bypass and use-after-free vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4018.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: thunderbird security update  
Advisory ID:        RHSA-2024:4018-03  
Product:            Red Hat Enterprise Linux  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:4018  
Issue date:         2024-06-20  
Revision:           03  
CVE Names:          CVE-2024-5688  
====================================================================

Summary: 

An update for thunderbird is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 115.12.1.

Security Fix(es):

* thunderbird: Use-after-free in networking (CVE-2024-5702)

* thunderbird: Use-after-free in JavaScript object transplant (CVE-2024-5688)

* thunderbird: External protocol handlers leaked by timing attack (CVE-2024-5690)

* thunderbird:  Sandboxed iframes were able to bypass sandbox restrictions to open a new window (CVE-2024-5691)

* thunderbird: Cross-Origin Image leak via Offscreen Canvas (CVE-2024-5693)

* thunderbird: Memory Corruption in Text Fragments (CVE-2024-5696)

* thunderbird: Memory safety bugs fixed in Firefox 127, Firefox ESR 115.12, and Thunderbird 115.12 (CVE-2024-5700)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2024-5688

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2291394  
https://bugzilla.redhat.com/show_bug.cgi?id=2291395  
https://bugzilla.redhat.com/show_bug.cgi?id=2291396  
https://bugzilla.redhat.com/show_bug.cgi?id=2291397  
https://bugzilla.redhat.com/show_bug.cgi?id=2291399  
https://bugzilla.redhat.com/show_bug.cgi?id=2291400  
https://bugzilla.redhat.com/show_bug.cgi?id=2291401

Red Hat Security Advisory 2024-4018-03

An issue was discovered in the events2 (aka Events 2) extension before 8.3.8 and 9.x before 9.0.6 for TYPO3. Missing access checks in the management plugin lead to an insecure direct object reference (IDOR) vulnerability with the potential to activate or delete various events for unauthenticated users.

Skip to content

**Navigation Menu**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   GitHub Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-38874

**events2 TYPO3 extension insecure direct object reference (IDOR) vulnerability**

Moderate severity GitHub Reviewed Published Jun 21, 2024 to the GitHub Advisory Database • Updated Jun 21, 2024

**Package**

composer jweiland/events2 (Composer)

**Affected versions**

< 8.3.8

\>= 9.0.0, < 9.0.6

**Patched versions**

8.3.8

9.0.6

**Description**

Published to the GitHub Advisory Database

Jun 21, 2024

Last updated

Jun 21, 2024

GHSA-cchp-3rq6-69wj: events2 TYPO3 extension insecure direct object reference (IDOR) vulnerability

A recently patched high-severity flaw impacting SolarWinds Serv-U file transfer software is being actively exploited by malicious actors in the wild.
The vulnerability, tracked as CVE-2024-28995 (CVSS score: 8.6), concerns a directory transversal bug that could allow attackers to read sensitive files on the host machine.
Affecting all versions of the software prior to and including Serv-U 15.4.2

Vulnerability / Data Protection

A recently patched high-severity flaw impacting SolarWinds Serv-U file transfer software is being actively exploited by malicious actors in the wild.

The vulnerability, tracked as **CVE-2024-28995** (CVSS score: 8.6), concerns a directory transversal bug that could allow attackers to read sensitive files on the host machine.

Affecting all versions of the software prior to and including Serv-U 15.4.2 HF 1, it was addressed by the company in version Serv-U 15.4.2 HF 2 (15.4.2.157) released earlier this month.

The list of products susceptible to CVE-2024-28995 is below -

*   Serv-U FTP Server 15.4
*   Serv-U Gateway 15.4
*   Serv-U MFT Server 15.4, and
*   Serv-U File Server 15.4

Security researcher Hussein Daher of Web Immunify has been credited with discovering and reporting the flaw. Following the public disclosure, additional technical details and a proof-of-concept (PoC) exploit have since been made available.

Cybersecurity firm Rapid7 described the vulnerability as trivial to exploit and that it allows external unauthenticated attackers to read any arbitrary file on disk, including binary files, assuming they know the path to that file and it's not locked.

"High-severity information disclosure issues like CVE-2024-28995 can be used in smash-and-grab attacks where adversaries gain access to and attempt to quickly exfiltrate data from file transfer solutions with the goal of extorting victims," it said.

"File transfer products have been targeted by a wide range of adversaries the past several years, including ransomware groups."

Indeed, according to threat intelligence firm GreyNoise, threat actors have already begun to conduct opportunistic attacks weaponizing the flaw against its honeypot servers to access sensitive files like /etc/passwd, with attempts also recorded from China.

With previous flaws in Serv-U software exploited by threat actors, it's imperative that users apply the updates as soon as possible to mitigate potential threats.

"The fact that attackers are using publicly available PoCs means the barrier to entry for malicious actors is incredibly low," Naomi Buckwalter, director of product security at Contrast Security, said in a statement shared with The Hacker News.

"Successful exploitation of this vulnerability could be a stepping stone for attackers. By gaining access to sensitive information like credentials and system files, attackers can use that information to launch further attacks, a technique called 'chaining.' This can lead to a more widespread compromise, potentially impacting other systems and applications."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

SolarWinds Serv-U Vulnerability Under Active Attack - Patch Immediately

IntelBroker is offering source code from major companies for sale. Are they demonstrating the value of a zero-day they are also selling?

A moderator of the notorious data breach trading platform BreachForums is offering data for sale they claim comes from a data breach at T-Mobile.

The moderator, going by the name of IntelBroker, describes the data as containing source code, SQL files, images, Terraform data, t-mobile.com certifications, and “Siloprograms.” (We’ve not heard of siloprograms, and can’t find a reference to them anywhere, so perhaps it’s a mistranslation or typo.)

Post offereing data for sale supposedly from a T-Mobile internal breach

To prove they had the data, IntelBroker posted several screenshots showing access with administrative privileges to a Confluence server and T-Mobile’s internal Slack channels for developers.

But according to sources known to BleepingComputer, the data shared by IntelBroker actually consists of older screenshots. These screenshots show T-Mobile’s infrastructure, posted at a known—yet unnamed—third-party vendor’s servers, from where they were stolen.

When we looked at the screenshots IntelBroker attached to their post, we spotted something interesting in one of them.

Found CVE-2024-1597

This screenshot shows a search query for a critical vulnerability in Jira, a project management tool used by teams to plan, track, release and support software. It’s typically a place where you could find the source code of works in progress.

The search returns the result CVE-2024-1597, a SQL injection vulnerability. SQL injection happens when a cybercriminal injects malicious SQL code into a form on a website, such as a login page, instead of the data the form is asking for. The vulnerability affects Confluence Data Center and Server according to Atlassian’s May security bulletin.

For a better understanding, it’s important to note that Jira and Confluence are both products created by Atlassian, where Jira is the project management and issue tracking tool and Confluence is the collaboration and documentation tool. They are often used together.

If IntelBroker has a working exploit for the SQL injection vulnerability, this could also explain their claim that they have the source code of three internal tools used at Apple, including a single sign-on authentication system known as AppleConnect.

This theory is supported by the fact that IntelBroker is also offering a Jira zero-day for sale.

IntelBroker selling zero-day for JIra

> “I’m selling a zero-day RCE for Atlassian’s Jira.
> 
> Works for the latest version of the desktop app, as well as Jira with confluence.
> 
> No login is required for this, and works with Okta SSO.”

If this is true then this exploit, or its fruits, might be used for data breaches that involve personal data.

Meanwhile, T-Mobile has denied it has suffered a breach, saying it is investigating whether there has been a breach at a third-party provider.

> “We have no indication that T-Mobile customer data or source code was included and can confirm that the bad actor’s claim that T-Mobile’s infrastructure was accessed is false.”

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Was T-Mobile compromised by a zero-day in Jira? 

The old, but newly disclosed, vulnerability is buried deep inside personal computers, servers, and mobile devices, and their supply chains, making remediation a headache.

Source: Alexander Cimbal via Alamy Stock Photo

A vast swath of computers is likely to be affected by a newly published vulnerability in Intel processors.

CVE-2024-0762, unfortunately nicknamed "UEFIcanhazbufferoverflow," is a buffer overflow issue affecting multiple versions of Phoenix Technologies' SecureCore Unified Extensible Firmware Interface (UEFI) firmware. First disclosed by the vendor in May, it has now been described in detail by Eclypsium researchers in a blog post.

They first spotted it back in November, while analyzing UEFI images in Lenovo ThinkPad X1 Carbon 7th Gen and X1 Yoga 4th Gen laptops. The problem lies in an unsafe call to the GetVariable() runtime service, used for reading the contents of a UEFI variable. A lack of adequate checks could allow an attacker to feed it too much data, thereby causing an overflow. From there, the attacker could take advantage by escalating privileges and executing code in a targeted machine during runtime.

Even worse than the severity of the bug, though, is its spread. Intel supplies the majority of PC processors sold around the world, and SecureCore firmware runs on 10 different generations of Intel chips. Eclypsium estimates it could affect hundreds of PC models across a wide spectrum of vendors.

**The Rub With UEFI**

There are few areas of a machine where malicious attacks are so effective, and so difficult to excise, as UEFI and its predecessor, BIOS. As the firmware interface that controls how a system boots, it is the first and most privileged code that runs once a user hits the power button on their device.

Its special status has attracted attackers far and wide in recent years, allowing them to nab root-level privileges, establish persistence through reboots, bypass security programs that might otherwise catch more traditional malware, and more.

"It's not not really the greatest place to hack into, but it is a really good place to set up shop," explains Nate Warfield, director of threat research and intelligence with Eclypsium.

"If you have code execution during that stage of a computer booting, you can drop something into the boot sector. Or you can use this vector to inject malware into Windows before it starts." He points to the recent CosmicStrand UEFI rootkit as a case in point. It's also what makes UEFIcanhazbufferoverflow so dangerous.

Still, it was only assigned a "high" 7.5 out of 10 in the CVSS scoring system. That, Warfield says, comes down to a couple of factors.

First, it requires that an attacker already have access to their targeted machine. 

Additionally, unlike your typical headline vulnerability, exploits in this case may need to be customized to a certain degree depending on the targeted computer model's configuration, and the permissions assigned to the problematic variable, adding a certain degree of complexity to the whole affair.

**The Good News and (More) Bad**

Unfortunately, this same complexity extends to vendors developing patches.

"The vulnerability we found affected a whole bunch of different versions of \[Phoenix's\] UEFI code. So they had to patch all of those for their customers, and now everyone has to go and pull those and package them up for all the versions of their BIOS," Warfield explains. "They may end up having to fix 10, 15, or 20 different tiny differences \[in architecture\] because this one supports this many GPUs, this one supports different hardware configurations for the motherboard. It's impossible to know."

Lenovo — which coordinated with the researchers in recent months — started releasing fixes last month, though some computers will remain exposed until later in the summer. Other, more recently informed original equipment and design manufacturers will surely take even longer. Organizations using Intel-powered computers can do little more than twiddle their thumbs in the meantime.

"This is the whole supply chain problem in a nutshell," Warfield says. "We informed the vendor. We have to wait for them to tell their customers' OEMs, who have to package their fixes and deliver it to their customers, who are the end users."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Tag

#vulnerability