Bug 1218680 (CVE-2022-36765)

Summary: VUL-0: CVE-2022-36765: ovmf,EDK2 is susceptible to a vulnerability in the CreateHob() function, allowing a user to trigger a integer overflow to buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Joey Lee <jlee>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: jlee, meissner, stoyan.manolov
Version: unspecifiedFlags: stoyan.manolov: needinfo? (jlee)
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/390490/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-36765:7.0:(AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-01-10 05:27:26 UTC 
EDK2 is susceptible to a vulnerability in the CreateHob() function, allowing a user to trigger a integer overflow to buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise of confidentiality, integrity, and/or availability.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36765
https://www.cve.org/CVERecord?id=CVE-2022-36765
https://github.com/tianocore/edk2/security/advisories/GHSA-ch4w-v7m3-g8wx
Comment 2 Joey Lee 2024-01-12 04:51:06 UTC 
(In reply to SMASH SMASH from comment #0)
> EDK2 is susceptible to a vulnerability in the CreateHob() function, allowing
> a user to trigger a integer overflow to buffer overflow via a local network.
> Successful exploitation of this vulnerability may result in a compromise of
> confidentiality, integrity, and/or availability.
> 
> References:
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36765
> https://www.cve.org/CVERecord?id=CVE-2022-36765
> https://github.com/tianocore/edk2/security/advisories/GHSA-ch4w-v7m3-g8wx

Upstream experts are still working on the patch in the above EDK2 bug. I will backport it when the patch be merged to edk2 mainline.
Comment 3 Joey Lee 2024-01-12 04:59:00 UTC 
Actually, this CVE is NOT easy to be used because it's in PEI stage:

Integer Overflow in CreateHob() could lead to HOB OOB R/W
https://github.com/tianocore/edk2/security/advisories/GHSA-ch4w-v7m3-g8wx

Impact
Exploitability here seems tricky, as an attacker would need to trigger this vulnerability in the PEI phase.
On the other hand, the number of calls to this function is fairly high.