Main Vulnerability Database Vulnerabilities #VU34844

Integer overflow in edk2 - CVE-2014-4859

Published: January 31, 2020 / Updated: August 8, 2020

Vulnerability identifier: #VU34844

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2014-4859

CWE-ID: CWE-190

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: TianoCore

Affected software:
edk2

Detailed vulnerability description

The vulnerability allows a local non-authenticated attacker to execute arbitrary code.

Integer overflow in the Drive Execution Environment (DXE) phase in the Capsule Update feature in the UEFI implementation in EDK2 allows physically proximate attackers to bypass intended access restrictions via crafted data.

How to mitigate CVE-2014-4859

Install update from vendor's website.

Sources

http://www.kb.cert.org/vuls/id/552286

Integer overflow in edk2 - CVE-2014-4859

Detailed vulnerability description

How to mitigate CVE-2014-4859

Sources

Please verify you're human