USN-4349-1: EDK II vulnerabilities
First published: Thu Apr 30 2020(Updated: )
A buffer overflow was discovered in the network stack. An unprivileged user could potentially enable escalation of privilege and/or denial of service. This issue was already fixed in a previous release for 18.04 LTS and 19.10. (CVE-2018-12178) A buffer overflow was discovered in BlockIo service. An unauthenticated user could potentially enable escalation of privilege, information disclosure and/or denial of service. This issue was already fixed in a previous release for 18.04 LTS and 19.10. (CVE-2018-12180) A stack overflow was discovered in bmp. An unprivileged user could potentially enable denial of service or elevation of privilege via local access. This issue was already fixed in a previous release for 18.04 LTS and 19.10. (CVE-2018-12181) It was discovered that memory was not cleared before free that could lead to potential password leak. (CVE-2019-14558) A memory leak was discovered in ArpOnFrameRcvdDpc. An attacker could possibly use this issue to cause a denial of service or other unspecified impact. (CVE-2019-14559) An integer overflow was discovered in MdeModulePkg/PiDxeS3BootScriptLib. An attacker could possibly use this issue to cause a denial of service or other unspecified impact. (CVE-2019-14563) It was discovered that the affected version doesn't properly check whether an unsigned EFI file should be allowed or not. An attacker could possibly load unsafe content by bypassing the verification. (CVE-2019-14575) It was discovered that original configuration runtime memory is freed, but it is still exposed to the OS runtime. (CVE-2019-14586) A double-unmap was discovered in TRB creation. An attacker could use it to cause a denial of service or other unspecified impact. (CVE-2019-14587)
| Affected Software | Affected Version | How to fix |
|---|---|---|
| All of | ||
| ubuntu/ovmf | <0~20190606.20d2e5a1-2ubuntu1.1 | 0~20190606.20d2e5a1-2ubuntu1.1 |
| =19.10 | ||
| All of | ||
| ubuntu/qemu-efi-aarch64 | <0~20190606.20d2e5a1-2ubuntu1.1 | 0~20190606.20d2e5a1-2ubuntu1.1 |
| =19.10 | ||
| All of | ||
| ubuntu/qemu-efi-arm | <0~20190606.20d2e5a1-2ubuntu1.1 | 0~20190606.20d2e5a1-2ubuntu1.1 |
| =19.10 | ||
| All of | ||
| ubuntu/ovmf | <0~20180205.c0d9813c-2ubuntu0.2 | 0~20180205.c0d9813c-2ubuntu0.2 |
| =18.04 | ||
| All of | ||
| ubuntu/qemu-efi-aarch64 | <0~20180205.c0d9813c-2ubuntu0.2 | 0~20180205.c0d9813c-2ubuntu0.2 |
| =18.04 | ||
| All of | ||
| ubuntu/qemu-efi-arm | <0~20180205.c0d9813c-2ubuntu0.2 | 0~20180205.c0d9813c-2ubuntu0.2 |
| =18.04 | ||
| All of | ||
| ubuntu/ovmf | <0~20160408.ffea0a2c-2ubuntu0.1 | 0~20160408.ffea0a2c-2ubuntu0.1 |
| =16.04 | ||
| All of | ||
| ubuntu/qemu-efi | <0~20160408.ffea0a2c-2ubuntu0.1 | 0~20160408.ffea0a2c-2ubuntu0.1 |
| =16.04 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://ubuntu.com/security/CVE-2018-12178
- https://ubuntu.com/security/CVE-2018-12180
- https://ubuntu.com/security/CVE-2018-12181
- https://ubuntu.com/security/CVE-2019-14558
- https://ubuntu.com/security/CVE-2019-14559
- https://ubuntu.com/security/CVE-2019-14563
- https://ubuntu.com/security/CVE-2019-14575
- https://ubuntu.com/security/CVE-2019-14586
- https://ubuntu.com/security/CVE-2019-14587
- https://launchpad.net/ubuntu/+source/edk2/0~20190606.20d2e5a1-2ubuntu1.1
- https://launchpad.net/ubuntu/+source/edk2/0~20180205.c0d9813c-2ubuntu0.2
- https://launchpad.net/ubuntu/+source/edk2/0~20160408.ffea0a2c-2ubuntu0.1
- https://ubuntu.com/security/notices/USN-4349-1 (Advisory)
Child vulnerabilities
(Contains the following vulnerabilities)
Frequently Asked Questions
What is the severity of USN-4349-1?
The severity of USN-4349-1 is moderate.
Which software packages are affected by USN-4349-1?
The affected software packages are ovmf, qemu-efi-aarch64, qemu-efi-arm.
How can an unprivileged user exploit the vulnerability in USN-4349-1?
An unprivileged user can exploit the vulnerability in USN-4349-1 by triggering a buffer overflow in the network stack or BlockIo service.
Are there any fixes available for USN-4349-1?
Yes, the vulnerability has been fixed in a previous release for Ubuntu 18.04 LTS and 19.10.
Where can I find more information about USN-4349-1?
You can find more information about USN-4349-1 on the Ubuntu security advisory page.
- agent/severity
- agent/weakness
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- agent/softwarecombine
- agent/event
- agent/description
- agent/title
- agent/tags
- agent/references
- collector/usn
- source/Ubuntu
- agent/software-canonical-lookup
- agent/trending
- package-manager/ubuntu
- vendor/ubuntu
- canonical/ubuntu ubuntu
- version/ubuntu ubuntu/19.10
- version/ubuntu ubuntu/18.04
- version/ubuntu ubuntu/16.04