Ubuntu Security Notice 6638-1 - Marc Beatove discovered buffer overflows exit in EDK2. An attacker on the local network could potentially use this to impact availability or possibly cause remote code execution. It was discovered that a buffer overflows exists in EDK2's Network Package An attacker on the local network could potentially use these to impact availability or possibly cause remote code execution.
cb517471393f2b25d84672292a8731ab62b9d85dbfaf6f8ff61eb3870a2e1cb5
==========================================================================
Ubuntu Security Notice USN-6638-1
February 15, 2024
edk2 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in EDK II.
Software Description:
- edk2: UEFI firmware for virtual machines
Details:
Marc Beatove discovered buffer overflows exit in EDK2. An attacker on the
local network could potentially use this to impact availability or possibly
cause remote code execution. (CVE-2022-36763, CVE-2022-36764,
CVE-2022-36765)
It was discovered that a buffer overflows exists in EDK2's Network Package
An attacker on the local network could potentially use these to impact
availability or possibly cause remote code execution. (CVE-2023-45230,
CVE-2023-45234, CVE-2023-45235)
It was discovered that an out-of-bounds read exists in EDK2's Network
Package An attacker on the local network could potentially use this to
impact confidentiality. (CVE-2023-45231)
It was discovered that infinite-loops exists in EDK2's Network Package
An attacker on the local network could potentially use these to impact
availability. (CVE-2023-45232, CVE-2023-45233)
Mate Kukri discovered that an insecure default to allow UEFI Shell in
EDK2 was left enabled in Ubuntu's EDK2. An attacker could use this to
bypass Secure Boot. (CVE-2023-48733)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
efi-shell-aa64 2023.05-2ubuntu0.1
efi-shell-arm 2023.05-2ubuntu0.1
efi-shell-x64 2023.05-2ubuntu0.1
ovmf 2023.05-2ubuntu0.1
qemu-efi-aarch64 2023.05-2ubuntu0.1
qemu-efi-arm 2023.05-2ubuntu0.1
Ubuntu 22.04 LTS:
ovmf 2022.02-3ubuntu0.22.04.2
qemu-efi 2022.02-3ubuntu0.22.04.2
qemu-efi-aarch64 2022.02-3ubuntu0.22.04.2
qemu-efi-arm 2022.02-3ubuntu0.22.04.2
Ubuntu 20.04 LTS:
ovmf 0~20191122.bd85bf54-2ubuntu3.5
qemu-efi 0~20191122.bd85bf54-2ubuntu3.5
qemu-efi-aarch64 0~20191122.bd85bf54-2ubuntu3.5
qemu-efi-arm 0~20191122.bd85bf54-2ubuntu3.5
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6638-1
CVE-2022-36763, CVE-2022-36764, CVE-2022-36765, CVE-2023-45230,
CVE-2023-45231, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234,
CVE-2023-45235, CVE-2023-48733,https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2040137
Package Information:
https://launchpad.net/ubuntu/+source/edk2/2023.05-2ubuntu0.1
https://launchpad.net/ubuntu/+source/edk2/2022.02-3ubuntu0.22.04.2
https://launchpad.net/ubuntu/+source/edk2/0~20191122.bd85bf54-2ubuntu3.5