GTM-TJ8GRDF
Skip to main content
  1. Home >
  2. Products>
  3. UEFI EDK2 Capsule Update vulnerabilities

UEFI EDK2 Capsule Update vulnerabilities

SERVICE FACTS

Synopsis

The EDK2 UEFI reference implementation contains multiple vulnerabilities in the Capsule Update mechanism.

The open source EDK2 project provides a reference implementation of the Unified Extensible Firmware Interface (UEFI). Researchers at The MITRE Corporation have discovered multiple vulnerabilities in the EDK2 Capsule Update mechanism. UEFI implementations may incorporate portions of the EDK2 source code, including the vulnerable Capsule Update code.

The CVE numbers assigned to this issue are CVE-2014-4859 and CVE-2014-4860 (see Vulnerability Note VU#552286).

Source: CERT Knowledgebase

Threat

UEFI EDK2 Capsule Update vulnerabilities are being rated “6 out of 10” (Base). A local authenticated attacker may be able to execute arbitrary code with the privileges of system firmware, potentially allowing for persistent firmware level rootkits, bypassing of Secure Boot, or permanently DoS'ing the platform.

Source: CERT Knowledgebase

Affected Operating Systems / Products:

The vulnerability might affect MS WINDOWS 7 / 8.x, MS WINDOWS SERVER 2012 in combination with UEFI based systems and “UEFI Boot” settings.

Fujitsu is running a comprehensive audit of all relevant products and systems.

Please consult the most recent list of affected and unaffected products below:

Affected and unaffcted productsOpen a new window (394 KB)

or alternatively contact your service partner.