First Last Prev Next    This bug is not in your last search results.
Bug 1174246 - (CVE-2019-14560) VUL-0: CVE-2019-14560: ovmf: improper check of GetEfiGlobalVariable2() return can potentially lead to to secure boot bypass
(CVE-2019-14560)
VUL-0: CVE-2019-14560: ovmf: improper check of GetEfiGlobalVariable2() return...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Joey Lee
Security Team bot
https://smash.suse.de/issue/263900/
CVSSv3.1:SUSE:CVE-2019-14560:6.1:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-07-17 12:36 UTC by Alexandros Toptsoglou
Modified: 2023-03-23 09:39 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2020-07-17 12:36:53 UTC 
CVE-2019-14560

A flaw was found in edk2. Function GetEfiGlobalVariable2() return value is not checked possibly leading to secure boot bypass if an attacker
can cause the API to fail.

References:

https://bugzilla.tianocore.org/show_bug.cgi?id=2167

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1858038
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14560
https://access.redhat.com/security/cve/CVE-2019-14560
Comment 1 Alexandros Toptsoglou 2020-07-17 12:39:10 UTC 
Tracked as affected all codestreams that are: 

SLE12-SP2,SP3,SP4 
SLE15 and SLE15-SP2
Comment 2 Gary Ching-Pang Lin 2020-08-05 06:35:57 UTC 
Although a patch was proposed in edk2 upstream bugzilla, but the developer never sent the patch for review so there is no fix merged into edk2 git now...
First Last Prev Next    This bug is not in your last search results.