[ltp] UEFI firmware updates for "BIOS Extreme Privilege Escalation"

Martin Schuster (IFKL IT OS DC CD) linux-thinkpad@linux-thinkpad.org
Thu, 23 Oct 2014 08:48:47 +0200


--------------ms000300090803070504050105
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: quoted-printable

On 2014-10-22 21:41, Jochen Spieker wrote:
> [...]
> Not strictly Linux-related but I guess many of us need to patch their
> systems:
>
> http://support.lenovo.com/us/en/product_security/uefi_edk2
>
Thanks Jochen!

Does someone know if this is as bad as the description on
http://www.kb.cert.org/vuls/id/552286
makes it sound ("A local authenticated attacker may be able to execute
arbitrary code with the privileges of system firmware"), or does it
require actual root-access to exploit?

cheers,
--=20
Infineon Technologies IT-Services GmbH     Martin.Schuster1@infineon.com
Lakeside B05, 9020 Klagenfurt, Austria     Martin Schuster
          FB: LG Klagenfurt, FN 246787y     +43 5 1777 3517


--------------ms000300090803070504050105
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIII/zCC
BCMwggMLoAMCAQICCmEeJPoAAAAAAAIwDQYJKoZIhvcNAQEFBQAwXTELMAkGA1UEBhMCZGUx
ITAfBgNVBAoTGEluZmluZW9uIFRlY2hub2xvZ2llcyBBRzErMCkGA1UEAxMiSW5maW5lb24g
VGVjaG5vbG9naWVzIEFHIFJvb3QgQ0EgMjAeFw0xMTA3MjcxMjMyMDVaFw0yNjA3MjcxMjQy
MDVaMF0xCzAJBgNVBAYTAmRlMSEwHwYDVQQKExhJbmZpbmVvbiBUZWNobm9sb2dpZXMgQUcx
KzApBgNVBAMTIkluZmluZW9uIFRlY2hub2xvZ2llcyBBRyBVc2VyIENBIDIwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgR2cm9N0nAbf/4OAOHDoOW0R15aQgTssyaP1+LDKb
sbvuOyhZFQCFoVJcoVZOH9tvhA6LOi3su/9dD5e1TQbk49ItOz+b4020/woLIQN5nEW+Masl
2ceBIf65zInAJV0PDlIW4PrgTIwTrr0K4V4NnqT+vnrSnYOi5Vw6w3nWX5aZiBr5/LIBsn2w
Ih9FsvxxiZ4IOnZ3B2nC+oT8xk64UeGycE56IMYTezWg5rlNTscyo7D3O3InQJk7SJRqRH14
9etgvBmer0I5gYx/mahHZ8/OiDxp1B2+CH6Gvxlc0pR9IT7TJsm3M4vwQHAEDqG4ioXwm6TV
PP514bokN5G3AgMBAAGjgeQwgeEwCwYDVR0PBAQDAgGGMB0GA1UdDgQWBBQaGJjYuBP92x7K
DIqzEwNwd8MXljAfBgNVHSMEGDAWgBQ4b9X0d+bJWiErURVq1iCrAg2nFTA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmluZmluZW9uLmNvbS9yb290Y2EyL3Jvb3RjYTIuY3JsMBIG
A1UdEwEB/wQIMAYBAf8CAQAwQAYDVR0gBDkwNzA1BgsqghQARAoUAQEBATAmMCQGCCsGAQUF
BwIBFhhodHRwczovL2Nwcy5pbmZpbmVvbi5jb20wDQYJKoZIhvcNAQEFBQADggEBAGzo4NoW
kDAjz9GXEtfoXdLXmGgaYti6cAAxlchQFDtlLjyhsQH2MVn9/79BTVtiDoTSo/MN39O+rCpH
kpW+lomWSHvmqJBth+gIpjCJYb7+BhgBR80C1XJVyM/YzOx+Hx/8AP4BxOMAxNXb7BlY3jNn
xI8EzrTaz8xhfUhdbDcicvGtgGfN2+ieliDe9iYNil10LlbGutf6tguQADH1yy+LIbljdSZ2
DtNzwVI2FsajXXBE6aSoXLMGiGSdDIyg7bc7k/SJ7RXqDmDCcduyhqMDqjA25kaF0RlmWoTu
JuFJIyKPbszF+1OREMpqDIlSXDXad6k+W+PEF4Zg3uwpneAwggTUMIIDvKADAgECAgJwMDAN
BgkqhkiG9w0BAQUFADBdMQswCQYDVQQGEwJkZTEhMB8GA1UEChMYSW5maW5lb24gVGVjaG5v
bG9naWVzIEFHMSswKQYDVQQDEyJJbmZpbmVvbiBUZWNobm9sb2dpZXMgQUcgVXNlciBDQSAy
MB4XDTEzMTAwOTE5MDMwN1oXDTE4MTAwOTE5MDMwN1owgYYxCzAJBgNVBAYTAkFUMS8wLQYD
VQQKEyZJbmZpbmVvbiBUZWNobm9sb2dpZXMgSVQtU2VydmljZXMgR21iSDEYMBYGA1UEAxMP
TWFydGluIFNjaHVzdGVyMSwwKgYJKoZIhvcNAQkBFh1NYXJ0aW4uU2NodXN0ZXIxQGluZmlu
ZW9uLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIAnlm1YUIPhqVUXxEaF
3iUTOEIEXqr27qoscKCF09iTyInmzpNhWE5CNg7J9m2ijRMGGXrIikIFUgHF0QnPNfqQDZZQ
kgBRYjQgMYnc4/34GKaLmqfzJSt5/QOkaYt4RiTz6c5sBW1eQg/e9O1Cly/yBeZXkcds6s1Y
CuioDtxE+Jahmh+wMAP7OVDk+ucGVtFRn9A4OiSBzImUwR+XEbaWCxD6ILoIcDBEdgbvFAvW
v5YbJC9aih2D3i6N4NbAuqSOzWIr+ZdFrz96Ckyw+WWOAypHBBG0kDKCvZpy6B9B2TV6qMma
VBDQDRtwAJMiFJLwSJ4MaP5hONDl3adruTcCAwEAAaOCAXIwggFuMD4GA1UdEQQ3MDWBHU1h
cnRpbi5TY2h1c3RlcjFAaW5maW5lb24uY29tgRRpdHJkYWRtQGluZmluZW9uLmNvbTBABgNV
HSAEOTA3MDUGCyqCFABEChQBAQEBMCYwJAYIKwYBBQUHAgEWGGh0dHBzOi8vY3BzLmluZmlu
ZW9uLmNvbTA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmluZmluZW9uLmNvbS91c2Vy
Y2EyL3VzZXJjYTIuY3JsMA4GA1UdDwEB/wQEAwIE8DATBgNVHSUEDDAKBggrBgEFBQcDBDBH
BggrBgEFBQcBAQQ7MDkwNwYIKwYBBQUHMAKGK2h0dHA6Ly9jcmwuaW5maW5lb24uY29tL3Vz
ZXJjYTIvdXNlcmNhMi5jcnQwHwYDVR0jBBgwFoAUGhiY2LgT/dseygyKsxMDcHfDF5YwHQYD
VR0OBBYEFF2I/324SVd2g53LmsnQw73IOOwHMA0GCSqGSIb3DQEBBQUAA4IBAQBlTMrAeYqK
I1sCMK1XMeWQ0rHbfsLMEjOxdYSTQTm5ogLNAv5baqXgScG1Q9kjnEDmST6Yqn8SnMYjYqZ4
sD5kIKI6qcQ8O73QCUn8JaUv2Easd2TOwTV/X+fBSuNdl2TtOnPQai9fbmMgBGFPrNqgQKbm
LAtMxBaqOrckblu70AB/H4rD5MvG3rbJUKJAg0x8oSoDuLKKh1aok7BEf9WPP8McXt8wdyFj
grvrIPBEWcghBJ1jbW+7U9U8ad0sgu5lViVnWbali0S+fOF9AJQXvhbUQ4sHFxYSmwajXEHU
ap9K8bu4d/dE7VqRX+n8UDFXk00QGINVY/3PCHH4vI1SMYIDQzCCAz8CAQEwYzBdMQswCQYD
VQQGEwJkZTEhMB8GA1UEChMYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMSswKQYDVQQDEyJJ
bmZpbmVvbiBUZWNobm9sb2dpZXMgQUcgVXNlciBDQSAyAgJwMDAJBgUrDgMCGgUAoIIBtTAY
BgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNDEwMjMwNjQ4NDda
MCMGCSqGSIb3DQEJBDEWBBRirK26vtNldIQe6OVtoEKTQy2plTBsBgkqhkiG9w0BCQ8xXzBd
MAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCA
MA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMHIGCSsGAQQBgjcQBDFl
MGMwXTELMAkGA1UEBhMCZGUxITAfBgNVBAoTGEluZmluZW9uIFRlY2hub2xvZ2llcyBBRzEr
MCkGA1UEAxMiSW5maW5lb24gVGVjaG5vbG9naWVzIEFHIFVzZXIgQ0EgMgICcDAwdAYLKoZI
hvcNAQkQAgsxZaBjMF0xCzAJBgNVBAYTAmRlMSEwHwYDVQQKExhJbmZpbmVvbiBUZWNobm9s
b2dpZXMgQUcxKzApBgNVBAMTIkluZmluZW9uIFRlY2hub2xvZ2llcyBBRyBVc2VyIENBIDIC
AnAwMA0GCSqGSIb3DQEBAQUABIIBABs9KJP8dadbLKWjx9cUaAR8oqe8OlqlypfwgJYvIdYF
qL5Gp7gZjg50MbXcSSjYcvsYMFexEArWAiArATDC2SPggKSkL0Mlu4kszMNTPRvjaT53kQm3
/7a+ZjQ6K5g7T/TJrrJJxSsk/pDjJWWMmHgKMp++FhRforvK+HCUppgBIkmUmCDn/YDilyBs
jo0MxubFvDUQEnZVko/i0B8LeQze2LrIcfKUaLM9bWKeoIDSWMNpK0Tm258KvMJX4064xkO4
T0NZDcXlnNGd9TM1xEePNHXWHMRtMDm/rUkkJD9X3deWEqilQD+1GD1EfuaoPrcstByAFB49
spdKleh646QAAAAAAAA=
--------------ms000300090803070504050105--