Bugzilla – Bug 1163969
VUL-0: CVE-2019-14575: ovmf: DxeImageVerificationHandler() fails open in case of dbx signature check
Last modified: 2020-06-30 07:48:08 UTC
CVE-2019-14575 Function DxeImageVerificationHandler() does not properly check whether an unsigned EFI file should be allowed or not. If a .efi image is both in the whitelist and in the blacklist, it is not supposed to load but if certain operations fail it will be loaded anyway, thus bypassing the verification. DxeImageVerificationHandler() has specific code to handle .efis that aren't signed, but should be allowed to run. To do this, it hashes the .efi image, and then compares the image against a blacklist (dbx) and a whitelist (db). A situation could occur where a hash is both in the dbx and db list. This is supposed to fail. since it's in the dbx list. Because of the way a signature is looked up in dbx (using IsSignatureFoundInDatabase() return value) any failure (e.g. allocation failure, looking up the variable failure, ...) will be seen as signature not found in database. This logic allows for bypassing the dbx looking and loading of an unsigned .efi image that should not be loaded. References: https://bugzilla.redhat.com/show_bug.cgi?id=1736862 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14575 http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-14575.html
No fix is currently merged upstream. However, v5 attachment in upstream bug [1] is proposed. Some additional references at [2] [1] https://bugzilla.tianocore.org/show_bug.cgi?id=1608 [2] https://edk2.groups.io/g/devel/message/53866
The fixes are released. fbb96072233b5eaecf4d229cbee47b13dcab39e1 SecurityPkg/DxeImageVerificationLib: Fix memory leaks (CVE-2019-14575) c13742b180095e5181e41dffda954581ecbd9b9c SecurityPkg/DxeImageVerificationLib: reject CertStack.CertNumber==0 per DBX (CVE-2019-14575) 9e569700901857d0ba418ebdd30b8086b908688c SecurityPkg/DxeImageVerificationLib: fix wrong fetch dbx in IsAllowedByDb (CVE-2019-14575) 929d1a24d12822942fd4f9fa83582e27f92de243 SecurityPkg/DxeImageVerificationLib: avoid bypass in fetching dbx (CVE-2019-14575) adc6898366298d1f64b91785e50095527f682758 SecurityPkg/DxeImageVerificationLib: refactor db/dbx fetching code (CVE-2019-14575) a83dbf008cc73406cbdc0d5ac3164cc19fff6683 SecurityPkg/DxeImageVerificationLib: Differentiate error/search result (1) (CVE-2019-14575) 5cd8be6079ea7e5638903b2f3da0f4c10ec7f1da SecurityPkg/DxeImageVerificationLib: tighten default result (CVE-2019-14575) cb30c8f25162e6d8142c6b098f14c1e4e7f125ce SecurityPkg/DxeImageVerificationLib: plug Data leak in IsForbiddenByDbx() (CVE-2019-14575) b1c11470598416c89c67b75c991fd0773bcbab9d SecurityPkg/DxeImageVerificationLib: Differentiate error/search result (2) (CVE-2019-14575) c230c002accc4281ccc57bba7153a9b2d9b9ccd3 SecurityPkg/DxeImageVerificationLib: change IsCertHashFoundInDatabase name (CVE-2019-14575)
The fix is submitted.
SUSE-SU-2020:0495-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1077330,1094291,1163927,1163959,1163969 CVE References: CVE-2018-0739,CVE-2019-14559,CVE-2019-14563,CVE-2019-14575 Sources used: SUSE OpenStack Cloud 7 (src): ovmf-2015+git1462940744.321151f-19.10.3 SUSE Linux Enterprise Server for SAP 12-SP2 (src): ovmf-2015+git1462940744.321151f-19.10.3 SUSE Linux Enterprise Server 12-SP2-LTSS (src): ovmf-2015+git1462940744.321151f-19.10.3 SUSE Linux Enterprise Server 12-SP2-BCL (src): ovmf-2015+git1462940744.321151f-19.10.3 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:0568-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1153072,1163927,1163959,1163969 CVE References: CVE-2019-14553,CVE-2019-14559,CVE-2019-14563,CVE-2019-14575 Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP1 (src): ovmf-2017+git1510945757.b2662641d5-5.29.3 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:0314-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1153072,1163927,1163959,1163969 CVE References: CVE-2019-14553,CVE-2019-14559,CVE-2019-14563,CVE-2019-14575 Sources used: openSUSE Leap 15.1 (src): ovmf-2017+git1510945757.b2662641d5-lp151.11.3.1
SUSE-SU-2020:0699-1: An update that fixes four vulnerabilities is now available. Category: security (low) Bug References: 1153072,1163927,1163959,1163969 CVE References: CVE-2019-14553,CVE-2019-14559,CVE-2019-14563,CVE-2019-14575 Sources used: SUSE Linux Enterprise Server 12-SP5 (src): ovmf-2017+git1510945757.b2662641d5-3.23.1 SUSE Linux Enterprise Server 12-SP4 (src): ovmf-2017+git1510945757.b2662641d5-3.23.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Done