Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAAfJHtpMWco6y_wRRzrgQfJZmwzsMG6P8D5FFWLMAOihuc2dZw@mail.gmail.com>
Date: Wed, 14 Feb 2024 14:40:43 +0000
From: Mate Kukri <mate.kukri@...onical.com>
To: oss-security@...ts.openwall.com
Subject: Secure Boot bypass in EDK2 based Virtual Machine firmware

Hello,

We have identified a vulnerability resulting from an insecure default
configuration of OVMF/AAVMF
and similar firmware as used in Ubuntu's edk2 package, the firmware
used by LXD, and potentially other similar software.

Said EDK2 based firmwares implement UEFI Secure Boot functionality but
also contain a copy of the UEFI Shell,
this gives an OS resident attacker (without physical access or
pseudo-physical access) the ability to execute arbitrary
code at system level, and thus the ability bypass UEFI Secure Boot.

While no proof of concept was developed, the above conclusion was
drawn from a theoretical attack along the lines of:
1. The UEFI Shell has built-in functionality for unattended scripting,
and a command (`mm`) for writing directly to physical memory, PCI
config space, etc.
2. An OS resident attacker can manipulate the boot order to execute an
arbitrary UEFI Shell script containing any Shell commands upon reboot.
3. These commands can then write an arbitrary unsigned executable
payload to physical memory, and take control of the instruction
pointer by overwriting a return address or some other pointer
resulting in unsigned code execution.

We have developed a patch to disable the UEFI Shell
when Secure Boot is active, and in future, we plan on removing the
UEFI Shell from such firmware images.

The Ubuntu edk2 and LXD issue are also known as CVE-2023-48733 and
CVE-2023-49721.

The issue is tracked on Launchpad as
https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2040137 and
https://bugs.launchpad.net/ubuntu/+source/lxd/+bug/2040139.

The TianoCore project does not consider this a vulnerability in edk2
as the configuration option to disable the UEFI Shell is available, and
deciding this policy is up to downstream vendors and distributors.

Best regards,
Mate Kukri

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.