USN-6638-1: EDK II vulnerabilities
15 February 2024
Several security issues were fixed in EDK II.
Releases
Packages
- edk2 - UEFI firmware for virtual machines
Details
Marc Beatove discovered buffer overflows exit in EDK2. An attacker on the
local network could potentially use this to impact availability or possibly
cause remote code execution. (CVE-2022-36763, CVE-2022-36764,
CVE-2022-36765)
It was discovered that a buffer overflows exists in EDK2's Network Package
An attacker on the local network could potentially use these to impact
availability or possibly cause remote code execution. (CVE-2023-45230,
CVE-2023-45234, CVE-2023-45235)
It was discovered that an out-of-bounds read exists in EDK2's Network
Package An attacker on the local network could potentially use this to
impact confidentiality. (CVE-2023-45231)
It was discovered that infinite-loops exists in EDK2's Network Package
An attacker on the local network could potentially use these to impact
availability. (CVE-2023-45232, CVE-2023-45233)
Mate Kukri discovered that an insecure default to allow UEFI Shell in
EDK2 was left enabled in Ubuntu's EDK2. An attacker could use this to
bypass Secure Boot. (CVE-2023-48733)
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 23.10
-
efi-shell-aa64
-
2023.05-2ubuntu0.1
-
efi-shell-arm
-
2023.05-2ubuntu0.1
-
efi-shell-x64
-
2023.05-2ubuntu0.1
-
ovmf
-
2023.05-2ubuntu0.1
-
qemu-efi-aarch64
-
2023.05-2ubuntu0.1
-
qemu-efi-arm
-
2023.05-2ubuntu0.1
Ubuntu 22.04
-
ovmf
-
2022.02-3ubuntu0.22.04.2
-
qemu-efi
-
2022.02-3ubuntu0.22.04.2
-
qemu-efi-aarch64
-
2022.02-3ubuntu0.22.04.2
-
qemu-efi-arm
-
2022.02-3ubuntu0.22.04.2
Ubuntu 20.04
-
ovmf
-
0~20191122.bd85bf54-2ubuntu3.5
-
qemu-efi
-
0~20191122.bd85bf54-2ubuntu3.5
-
qemu-efi-aarch64
-
0~20191122.bd85bf54-2ubuntu3.5
-
qemu-efi-arm
-
0~20191122.bd85bf54-2ubuntu3.5
In general, a standard system update will make all the necessary changes.