{"vuid":"VU#533140","idnumber":"533140","name":"Tianocore UEFI implementation reclaim function vulnerable to buffer overflow","keywords":["UEFI","buffer overflow","EDK","Tianocore"],"overview":"The reclaim function in the Tianocore open source implementation of UEFI contains a buffer overflow vulnerability.","clean_desc":"The open source Tianocore project provides a reference implementation of the Unified Extensible Firmware Interface (UEFI). Some commercial UEFI implementations incorporate portions of the Tianocore source code. According to Rafal Wojtczuk of Bromium and Corey Kallenberg of The MITRE Corporation, a buffer overflow vulnerability exists in the Reclaim function. Corey Kallenberg describes the vulnerability as follows: \"UEFI utilizes various non-volatile variables to communicate information back and forth between the operating system and the firmware; for instance, boot order, platform language, etc. These non-volatile variables are stored in a file-system like region on the SPI flash chip. This file-system supports many operations such as deleting existing variables, creating new variables, and defragmenting the variable region in order to reclaim unused space. This latter operation is important to ensure that large variables can be created in the event the variable region is resource constrained and fragmented with many unused \"free slots.\" We have discovered a buffer overflow associated with this 'reclaim' operation.\" Please note that this issue is unlikely to be directly exposed to an attacker. In order to exploit this issue, a separate vulnerability must allow prior modification of the SPI flash to enable the attacker to introduce valid variable headers after the end of the variable storage area.","impact":"The consequences and exploitability of this bug will vary based on the particular firmware implementation. A local attacker may be able to perform an arbitrary reflash of the platform firmware and escalate privileges or perform a denial of service attack by rendering the system inoperable.","resolution":"The vulnerable code is patched in EDK2 SVN revision 16280. This issue is still present in EDK1 which is no longer supported. Vendor-specific UEFI fimware derived from Tianocore may be affected. Please see the Vendor Information section below to determine if your system may be affected. We are continuing to communicate with vendors as they investigate these vulnerabilities.","workarounds":"","sysaffected":"","thanks":"Thanks to Rafal Wojtczuk of Bromium and Corey Kallenberg of The MITRE Corporation for reporting this vulnerability.","author":"","public":["https://github.com/tianocore/edk/blob/master/Sample/Universal/Variable/RuntimeDxe/FS/FSVariable.c#L348-L352","http://sourceforge.net/p/edk2/code/16280/","http://tianocore.sourceforge.net/wiki/Security","http://support.lenovo.com/us/en/product_security/uefi_variable_reclaim"],"cveids":["CVE-2014-8271"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2014-09-08T11:38:50Z","publicdate":"2014-12-28T00:00:00Z","datefirstpublished":"2015-01-05T14:22:39Z","dateupdated":"2015-02-03T15:12:08Z","revision":54,"vrda_d1_directreport":"1","vrda_d1_population":"3","vrda_d1_impact":"3","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"L","cvss_accesscomplexity":"H","cvss_authentication":null,"cvss_confidentialityimpact":"C","cvss_integrityimpact":"C","cvss_availabilityimpact":"C","cvss_exploitablity":null,"cvss_remediationlevel":"ND","cvss_reportconfidence":"ND","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"M","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"6","cvss_basevector":"AV:L/AC:H/Au:S/C:C/I:C/A:C","cvss_temporalscore":"5.1","cvss_environmentalscore":"3.837984192","cvss_environmentalvector":"CDP:ND/TD:M/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}