TianoCore EDK II DxeCore Stack Overflow Vulnerability [CVE-2018-12183]
CVE Number – CVE-2018-12183
A vulnerability in the DxeCore component of TianoCore EDK II could allow an unauthenticated, local attacker to gain elevated privileges, access sensitive information, or cause a denial of service (DoS) condition on a targeted system.
The vulnerability is due to a stack overflow condition that exist in the DxeCore component. An attacker with physical access to the targeted system could exploit this vulnerability to gain elevated privileges, access sensitive information, or cause a DoS condition on the system. TianoCore has confirmed the vulnerability and released software updates.
Analysis
- To exploit this vulnerability, an attacker must have physical access to the targeted system. This access requirement may reduce the likelihood of a successful exploit.
Vendor Announcements
- TianoCore has released a security advisory at the following link: Unlimited FV Recursion
Fixed Software
- TianoCore has released a git commit at the following link: UefiCpuPkg/CpuMpPei: support stack guard feature
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.