#VU70612 Input validation error in edk2 - CVE-2019-11098

Cybersecurity Help s.r.o.

Published: 2023-01-02

Vulnerability identifier: #VU70612

Vulnerability risk: Low

CVSSv4.0: 4 [CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-11098

CWE-ID: CWE-20

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
edk2
Hardware solutions / Firmware

Vendor: TianoCore

Description

The vulnerability allows an attacker to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input in MdeModulePkg. An attacker with physical access to the affected system can execute arbitrary code.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

edk2: All versions

External links
https://edk2-docs.gitbook.io/security-advisory/bootguard-toctou-vulnerability

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

SUSE update for ovmf

openEuler 22.03 LTS update for edk2

openEuler 20.03 LTS SP3 update for edk2

openEuler 20.03 LTS SP1 update for edk2

Ubuntu update for edk2

Code execution in edk2