[0/3] Regarding efibootguard CVE-2023-39950

Message ID	20230816092424.203252-1-michael.adler@siemens.com
Headers	show Return-Path: <swupdate+bncBCLP7I7WWMHRBEVM6KTAMGQEJ4VYV7Y@googlegroups.com> Received-SPF: pass (google.com: domain of michael.adler@siemens.com designates 2a01:111:f400:fe1f::62a as permitted sender) client-ip=2a01:111:f400:fe1f::62a; From: "'Michael Adler' via swupdate" <swupdate@googlegroups.com> To: swupdate@googlegroups.com Cc: Michael Adler <michael.adler@siemens.com> Subject: [swupdate] [PATCH 0/3] Regarding efibootguard CVE-2023-39950 Date: Wed, 16 Aug 2023 11:24:21 +0200 Message-ID: <20230816092424.203252-1-michael.adler@siemens.com> Content-Type: text/plain; charset="UTF-8" MIME-Version: 1.0 Reply-To: Michael Adler <michael.adler@siemens.com> Precedence: list Mailing-list: list swupdate@googlegroups.com; contact swupdate+owners@googlegroups.com
Series	Regarding efibootguard CVE-2023-39950 \| expand [0/3] Regarding efibootguard CVE-2023-39950 [1/3] ebg: ensure env_get returns valid strings [2/3] ebg: detailed logging if malloc fails [3/3] ebg: fix integer underflow

Message ID

20230816092424.203252-1-michael.adler@siemens.com

Headers

Received-SPF: pass (google.com: domain of michael.adler@siemens.com designates
 2a01:111:f400:fe1f::62a as permitted sender)
 client-ip=2a01:111:f400:fe1f::62a;
From: "'Michael Adler' via swupdate" <swupdate@googlegroups.com>
To: swupdate@googlegroups.com
Cc: Michael Adler <michael.adler@siemens.com>
Subject: [swupdate] [PATCH 0/3] Regarding efibootguard CVE-2023-39950
Date: Wed, 16 Aug 2023 11:24:21 +0200
Message-ID: <20230816092424.203252-1-michael.adler@siemens.com>
Content-Type: text/plain; charset="UTF-8"
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 CmCNBMFXE/kbHlS40AlwFwnBcPDOuBgKkwwJdVc8Tjdm+SuCG6O1RllfGaXoKyaVeM0Zn8+Cw1lILrhmTsQW3Wtf45es+7/SxznAoVjUbtvb0vqSXxiZYror3MvD2tWUuTrN4amhwq4jgA4iKz8fkUh4pZ0qy9xag+UTdpnk+fJ3rpBdyY3fLXIYboYbvSasWP2eST2FLJKFOOAdXvy+MiWv+9j89att10YYRSFzHvb3XZajbuoERX01f9aj3AuXqMES2x9g/SoY4d4wxpuCZEXKcVSI+0YWTnP190gYN4Er+Hi5gzCHSUabpQ10ROI0m7hYZoe5dlzOjvI0XrI8c6dRM+vgA3xDTyM/CUqTL9OY2zEIfy+7jEqMzLCAJfyEvz6xMxk04Krr7VCToLmViXerFgsxlSdKSGWJHcd4Rz/GvT8gyxKgUIUVRBLDbOil4wJ5FgSj6UpLQEn/ypKKS0qpln5+rOf0ISs16wjvYMk4KmBOpD0UJXh2Mj7nCScWQ6TAqeGURGLbr9yyov+M/ivvhTEKCS91OeaLLQ2/qh6gO8Yz/mdybrYqpDj2kKixZs9fsa4nKuLZKoX398vHsoCbHdJRT1+p9WxpLZV5lySpe+8viiZbuJan9ytq6E3d29y0+UOqWzxQUWsgWZDn8jhZIls3erwKAGVRqCw+5hqYtn+HEr68uZCUL2FJBGwEcf1N7MeEQQHC/zeB5pVjF3PM9DE3q8qA0Gfrm+fGxVdYbPeQWItGuVNBZPFgf1WsS8qfBLLSvoIzS7p+iW/ihc3yQVPb8VDZjqQXRoxqP/UZGwz33n+GNQdTYZa6vX0ZeRnUQxPLIzWNU2PxNZOd8ILsFDid4ylKqQUS1esx7LQ/bq0MLFCv1oF3dtX2EozKZhSMUF3Rfk8SxFWFqPYhmpxHxRuvDM73bLg9no8xEuvLcDKiH3+6YvRPQXBZLJETo6WNyLH4jlv/ziqGyZol0N8b6eFFH9/yUdKXjB2EooBzQ3Z/umywkirfvQU5aFSQyU1pqFfTLF7tVj/e1tkoN4XyH8cfTzFMjWVrIfCFnGrR5y0jND8RS3Q4C0/N8QcziBDC3hY/y7TeCINQE40CspYJ8eHKJ78CuTpXLIVZjjprQi0y3xTh4WwF0eXPCK/C1kalu8M5wPQnC+OV9bsi0LLkOwh6b/2p8MmBpkCFN8UnJQcR0KK7fPaqfyXtVCdpUnJ5h9cf1JJZ8e8LXbB9uYEA8aPwrgTwdfghY2Y3ZcK0Z4/jeXqx0QCtI0GaOtKjqc0MAbkfiSQAqhE/o2yGN4jW7dlpeAXdapmR+SiAOEsLvx3DePdBqJPb5146ikzf1kWyU/1mWCGtfGKC5tay9CH6Smozo9huQqegjRxmTucY2Dk2hjcC4e3hRHZipbU4S/QyihlBoyX2TBUeG+4dkihKILtQh0B3K4XjcTK08MlNMgRuHZI6fpn0YssB6a4eL/c+MAUfWvrigCeC4cRRlLS9rds/psvan8pgGwW0huXKIuOoRatHncXiXXYqNo+aw6oWKTQB/ew5haF5ow++WHaVQ6nTl7hrfXmMhMfOvtasGXROPrJhLaalKkCA3HwsK+MZoDgeq5YMiILY0WH8Tg==
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 9490b3b0-c19e-42ae-8a72-08db9e3abef6
X-MS-Exchange-CrossTenant-AuthSource: PAXPR10MB4734.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Aug 2023 09:25:35.3008
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 M21pTDcj9dYa6Ahp2Te7g5JfcVlrbU1f8yUv+z7CpWOqkuK4puIaDJOJRTQjha7HNDbIpA1z0eIa6Ws2TLcCz8FhhLXq9JMb/HlXaw4ENqg=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB4PR10MB7422
X-Original-Sender: Michael.Adler@siemens.com
X-Original-Authentication-Results: gmr-mx.google.com;       dkim=pass
 header.i=@siemens.com header.s=selector2 header.b=n+p6uXsy;       arc=pass
 (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass
 fromdomain=siemens.com);       spf=pass (google.com: domain of
 michael.adler@siemens.com designates 2a01:111:f400:fe1f::62a as permitted
 sender) smtp.mailfrom=michael.adler@siemens.com;       dmarc=pass (p=REJECT
 sp=REJECT dis=NONE) header.from=siemens.com
X-Original-From: Michael Adler <michael.adler@siemens.com>
Reply-To: Michael Adler <michael.adler@siemens.com>
Precedence: list
Mailing-list: list swupdate@googlegroups.com;
 contact swupdate+owners@googlegroups.com
List-ID: <swupdate.googlegroups.com>
X-Spam-Checked-In-Group: swupdate@googlegroups.com
X-Google-Group-Id: 605343134186
List-Post: <https://groups.google.com/group/swupdate/post>,
 <mailto:swupdate@googlegroups.com>
List-Help: <https://groups.google.com/support/>,
 <mailto:swupdate+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/swupdate
List-Subscribe: <https://groups.google.com/group/swupdate/subscribe>,
 <mailto:swupdate+subscribe@googlegroups.com>
List-Unsubscribe: 
 <mailto:googlegroups-manage+605343134186+unsubscribe@googlegroups.com>,
 <https://groups.google.com/group/swupdate/subscribe>

Series

Regarding efibootguard CVE-2023-39950 | expand

Message

Michael Adler Aug. 16, 2023, 9:24 a.m. UTC

Hi all,

A recent CVE [1] has been assigned to efibootguard. Given that SWUpdate
integrates with efibootguard, we investigated its exploitability within
SWUpdate. Our findings indicate that you remain safe as long as you refrain
from using user-defined efibootguard variables - which SWUpdate doesn't do by
default. However, it is possible to write custom Lua code that reads/writes
user-defined variables in which case you **might** be affected.

It's worth noting that while we didn't find a way to exploit the CVE in a
standard SWUpdate deployment, it's still recommended to update to efibootguard
version 0.15 or newer if you're using both SWUpdate and efibootguard.

During my analysis, I discovered some minor issues in SWUpdate's efibootguard
integration. These have been addressed in this patch series.

Kind regards,
  Michael

[1] https://www.cve.org/CVERecord?id=CVE-2023-39950

Michael Adler (3):
  ebg: ensure env_get returns valid strings
  ebg: detailed logging if malloc fails
  ebg: fix integer underflow

 bootloader/ebg.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

Comments

Michael Adler Sept. 19, 2023, 8:08 a.m. UTC | #1

Just a friendly ping so that we don't forget this (it's security-related).

Kind Regards,
  Michael

Stefano Babic Sept. 19, 2023, 9:33 a.m. UTC | #2

On 19.09.23 10:08, 'Michael Adler' via swupdate wrote:
> Just a friendly ping so that we don't forget this (it's security-related).
> 

Thanks for remind, I haǘe applied your series to -master.

Best regards,
Stefano

> Kind Regards,
>    Michael
>