1218678 – (CVE-2022-36763) VUL-0: CVE-2022-36763: ovmf: EDK2 is susceptible to a vulnerability in the Tcg2MeasureGptTable() function, allowing a user to trigger a heap buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise

Bug 1218678 (CVE-2022-36763) - VUL-0: CVE-2022-36763: ovmf: EDK2 is susceptible to a vulnerability in the Tcg2MeasureGptTable() function, allowing a user to trigger a heap buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise

Summary: VUL-0: CVE-2022-36763: ovmf: EDK2 is susceptible to a vulnerability in the T...

Status:	IN_PROGRESS

Alias:	CVE-2022-36763

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Joey Lee
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/390488/
Whiteboard:	CVSSv3.1:SUSE:CVE-2022-36763:7.0:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-01-10 05:26 UTC by SMASH SMASH
Modified:	2024-05-13 12:17 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2024-01-10 05:26:46 UTC

EDK2 is susceptible to a vulnerability in the Tcg2MeasureGptTable() function, allowing a user to trigger a heap buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise of confidentiality, integrity, and/or availability.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36763
https://www.cve.org/CVERecord?id=CVE-2022-36763
https://github.com/tianocore/edk2/security/advisories/GHSA-xvv8-66cq-prwr

Comment 2 Joey Lee 2024-01-12 05:35:30 UTC

(In reply to SMASH SMASH from comment #0)
> EDK2 is susceptible to a vulnerability in the Tcg2MeasureGptTable()
> function, allowing a user to trigger a heap buffer overflow via a local
> network. Successful exploitation of this vulnerability may result in a
> compromise of confidentiality, integrity, and/or availability.
> 
> References:
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36763
> https://www.cve.org/CVERecord?id=CVE-2022-36763
> https://github.com/tianocore/edk2/security/advisories/GHSA-xvv8-66cq-prwr

I will backport patch in the above edk2 bug after it be merged to edk2 mainline.

Comment 3 Joey Lee 2024-02-06 06:52:47 UTC

(In reply to Joey Lee from comment #2)
> (In reply to SMASH SMASH from comment #0)
> > EDK2 is susceptible to a vulnerability in the Tcg2MeasureGptTable()
> > function, allowing a user to trigger a heap buffer overflow via a local
> > network. Successful exploitation of this vulnerability may result in a
> > compromise of confidentiality, integrity, and/or availability.
> > 
> > References:
> > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36763
> > https://www.cve.org/CVERecord?id=CVE-2022-36763
> > https://github.com/tianocore/edk2/security/advisories/GHSA-xvv8-66cq-prwr
> 
> I will backport patch in the above edk2 bug after it be merged to edk2
> mainline.

Those patches be merged to edk2 mainline. I will backport them.

Comment 5 Joey Lee 2024-05-08 09:20:38 UTC

commit 1ddcb9fc6b4164e882687b031e8beacfcf7df29e                         [edk2-stable202402]
Author: Douglas Flick [MSFT] <doug.edk2@gmail.com>
Date:   Fri Jan 12 02:16:03 2024 +0800

    SecurityPkg: : Adding CVE 2022-36763 to SecurityFixes.yaml

commit 4776a1b39ee08fc45c70c1eab5a0195f325000d3                 [edk2-stable202402]
Author: Douglas Flick [MSFT] <doug.edk2@gmail.com>
Date:   Fri Jan 12 02:16:02 2024 +0800

    SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4117 - CVE 2022-36763

commit 224446543206450ddb5830e6abd026d61d3c7f4b                 [edk2-stable202402]
Author: Douglas Flick [MSFT] <doug.edk2@gmail.com>
Date:   Fri Jan 12 02:16:01 2024 +0800

    SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4117 - CVE 2022-36763

Comment 6 Joey Lee 2024-05-08 15:40:31 UTC

commit 264636d8e6983e0f6dc6be2fca9d84ec81315954
Author: Doug Flick <dougflick@microsoft.com>
Date:   Wed Jan 17 14:47:22 2024 -0800

    SecurityPkg: : Updating SecurityFixes.yaml after symbol rename

commit 326db0c9072004dea89427ea3a44393a84966f2b
Author: Doug Flick <dougflick@microsoft.com>
Date:   Wed Jan 17 14:47:21 2024 -0800

    SecurityPkg: DxeTpmMeasureBootLib: SECURITY PATCH 4117/4118 symbol rename

commit 40adbb7f628dee79156c679fb0857968b61b7620
Author: Doug Flick <dougflick@microsoft.com>
Date:   Wed Jan 17 14:47:20 2024 -0800

    SecurityPkg: DxeTpm2MeasureBootLib: SECURITY PATCH 4117/4118 symbol rename

Comment 7 Joey Lee 2024-05-09 06:10:47 UTC

Backported patches be submitted to 15-SP6 and wait to be merged:

https://build.suse.de/request/show/329676

Comment 10 Joey Lee 2024-05-13 05:03:21 UTC

(In reply to Joey Lee from comment #7)
> Backported patches be submitted to 15-SP6 and wait to be merged:
> 
> https://build.suse.de/request/show/329676

Backported patch be merged to 15-SP6/ovmf

Comment 11 Marcus Meissner 2024-05-13 11:56:59 UTC

Does this affect older ovmf?