Bug 1174246 (CVE-2019-14560) - VUL-0: CVE-2019-14560: ovmf: improper check of GetEfiGlobalVariable2() return can potentially lead to to secure boot bypass
Summary: VUL-0: CVE-2019-14560: ovmf: improper check of GetEfiGlobalVariable2() return...
Status: RESOLVED FIXED
Alias: CVE-2019-14560
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/263900/
Whiteboard: CVSSv3.1:SUSE:CVE-2019-14560:6.1:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2020-07-17 12:36 UTC by Alexandros Toptsoglou
Modified: 2024-06-07 07:41 UTC (History)
8 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2020-07-17 12:36:53 UTC
CVE-2019-14560

A flaw was found in edk2. Function GetEfiGlobalVariable2() return value is not checked possibly leading to secure boot bypass if an attacker
can cause the API to fail.

References:

https://bugzilla.tianocore.org/show_bug.cgi?id=2167

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1858038
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14560
https://access.redhat.com/security/cve/CVE-2019-14560
Comment 1 Alexandros Toptsoglou 2020-07-17 12:39:10 UTC
Tracked as affected all codestreams that are: 

SLE12-SP2,SP3,SP4 
SLE15 and SLE15-SP2
Comment 2 Gary Ching-Pang Lin 2020-08-05 06:35:57 UTC
Although a patch was proposed in edk2 upstream bugzilla, but the developer never sent the patch for review so there is no fix merged into edk2 git now...
Comment 19 Joey Lee 2023-04-19 08:20:57 UTC
- SUSE:SLE-12-SP2:Update/ovmf  2015+git1462940744.321151f       [sent, IBS SR#295124]
- SUSE:SLE-12-SP3:Update/ovmf  2017+git1492060560.b6d11d7c46    [sent, IBS SR#295116]
- SUSE:SLE-12-SP4:Update/ovmf  2017+git1510945757.b2662641d5    [sent, IBS SR#295104]
- SUSE:SLE-15-SP2:Update/ovmf  201911           [accepted, IBS SR#294942]
- SUSE:SLE-15-SP3:Update/ovmf  202008           [accepted, IBS SR#294651]
- SUSE:SLE-15-SP4:Update/ovmf  202202
- SUSE:SLE-15-SP5:GA           202208           [sent, IBS SR#294652]
- SUSE:SLE-15:Update/ovmf      2017+git1510945757.b2662641d5    [accepted, IBS SR#295084]
- openSUSE:Factory/ovmf        202302
Comment 21 Maintenance Automation 2023-04-19 20:30:03 UTC
SUSE-SU-2023:1921-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1174246, 1196741
CVE References: CVE-2019-14560, CVE-2021-38578
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): ovmf-201911-150200.7.27.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): ovmf-201911-150200.7.27.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): ovmf-201911-150200.7.27.1
SUSE Enterprise Storage 7 (src): ovmf-201911-150200.7.27.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Maintenance Automation 2023-04-21 12:30:08 UTC
SUSE-SU-2023:1941-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1174246, 1196741
CVE References: CVE-2019-14560, CVE-2021-38578
Sources used:
SUSE OpenStack Cloud 9 (src): ovmf-2017+git1510945757.b2662641d5-3.41.2
SUSE OpenStack Cloud Crowbar 9 (src): ovmf-2017+git1510945757.b2662641d5-3.41.2
SUSE Linux Enterprise Server for SAP Applications 12 SP4 (src): ovmf-2017+git1510945757.b2662641d5-3.41.2
SUSE Linux Enterprise Server 12 SP4 ESPOS 12-SP4 (src): ovmf-2017+git1510945757.b2662641d5-3.41.2
SUSE Linux Enterprise Server 12 SP4 LTSS 12-SP4 (src): ovmf-2017+git1510945757.b2662641d5-3.41.2
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): ovmf-2017+git1510945757.b2662641d5-3.41.2
SUSE Linux Enterprise Server 12 SP5 (src): ovmf-2017+git1510945757.b2662641d5-3.41.2
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): ovmf-2017+git1510945757.b2662641d5-3.41.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Maintenance Automation 2023-04-21 12:30:09 UTC
SUSE-SU-2023:1940-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1174246, 1196741
CVE References: CVE-2019-14560, CVE-2021-38578
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): ovmf-2017+git1510945757.b2662641d5-150000.5.46.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): ovmf-2017+git1510945757.b2662641d5-150000.5.46.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): ovmf-2017+git1510945757.b2662641d5-150000.5.46.1
SUSE CaaS Platform 4.0 (src): ovmf-2017+git1510945757.b2662641d5-150000.5.46.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 24 Maintenance Automation 2023-04-24 12:30:04 UTC
SUSE-SU-2023:1958-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1174246, 1196741
CVE References: CVE-2019-14560, CVE-2021-38578
Sources used:
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): ovmf-202008-150300.10.20.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): ovmf-202008-150300.10.20.1
SUSE Linux Enterprise Real Time 15 SP3 (src): ovmf-202008-150300.10.20.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): ovmf-202008-150300.10.20.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): ovmf-202008-150300.10.20.1
SUSE Manager Proxy 4.2 (src): ovmf-202008-150300.10.20.1
SUSE Manager Retail Branch Server 4.2 (src): ovmf-202008-150300.10.20.1
SUSE Manager Server 4.2 (src): ovmf-202008-150300.10.20.1
SUSE Enterprise Storage 7.1 (src): ovmf-202008-150300.10.20.1
SUSE Linux Enterprise Micro 5.1 (src): ovmf-202008-150300.10.20.1
SUSE Linux Enterprise Micro 5.2 (src): ovmf-202008-150300.10.20.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src): ovmf-202008-150300.10.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 25 Maintenance Automation 2023-04-24 16:30:05 UTC
SUSE-SU-2023:1968-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1174246, 1196741
CVE References: CVE-2019-14560, CVE-2021-38578
Sources used:
SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2 (src): ovmf-2015+git1462940744.321151f-19.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 27 Joey Lee 2023-05-13 04:04:54 UTC
- SUSE:SLE-12-SP2:Update/ovmf  2015+git1462940744.321151f       [accepted, IBS SR#295124]
- SUSE:SLE-12-SP3:Update/ovmf  2017+git1492060560.b6d11d7c46    [accepted, IBS SR#295116]
- SUSE:SLE-12-SP4:Update/ovmf  2017+git1510945757.b2662641d5    [accepted, IBS SR#295104]
- SUSE:SLE-15-SP2:Update/ovmf  201911           [accepted, IBS SR#294942]
- SUSE:SLE-15-SP3:Update/ovmf  202008           [accepted, IBS SR#294651]
- SUSE:SLE-15-SP4:Update/ovmf  202202           [sent, IBS SR#298093]
- SUSE:SLE-15-SP5:GA           202208           [accepted, IBS SR#294652]
- SUSE:SLE-15:Update/ovmf      2017+git1510945757.b2662641d5    [accepted, IBS SR#295084]
- openSUSE:Factory/ovmf        202302
Comment 29 Joey Lee 2023-05-13 07:23:01 UTC
(In reply to Joey Lee from comment #27)
[...snip]
> - SUSE:SLE-15-SP4:Update/ovmf  202202           [sent, IBS SR#298093]

Re-submit to 15-SP4 with bsc#1196741 fixing:

https://build.suse.de/request/show/298094
Comment 30 Maintenance Automation 2023-05-17 16:30:26 UTC
SUSE-SU-2023:2234-1: An update that solves two vulnerabilities and has one fix can now be installed.

Category: security (important)
Bug References: 1174246, 1196741, 1205613
CVE References: CVE-2019-14560, CVE-2021-38578
Sources used:
openSUSE Leap Micro 5.3 (src): ovmf-202202-150400.5.10.1
openSUSE Leap 15.4 (src): ovmf-202202-150400.5.10.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): ovmf-202202-150400.5.10.1
SUSE Linux Enterprise Micro 5.3 (src): ovmf-202202-150400.5.10.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): ovmf-202202-150400.5.10.1
SUSE Linux Enterprise Micro 5.4 (src): ovmf-202202-150400.5.10.1
Server Applications Module 15-SP4 (src): ovmf-202202-150400.5.10.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 31 Joey Lee 2023-06-13 09:42:36 UTC
(In reply to Joey Lee from comment #29)
> (In reply to Joey Lee from comment #27)
> [...snip]
> > - SUSE:SLE-15-SP4:Update/ovmf  202202           [sent, IBS SR#298093]
> 
> Re-submit to 15-SP4 with bsc#1196741 fixing:
> 
> https://build.suse.de/request/show/298094

The patch be merged to SLE/ovmf. Reset assigner.