Sign-up

ID

VAR-201406-0481


CVE

CVE-2014-2961


TITLE

Unauthorized modification of UEFI variables in UEFI systems

Trust: 0.8

sources: CERT/CC: VU#758382

DESCRIPTION

Certain firmware implementations may not correctly protect and validate information contained in certain UEFI variables. Exploitation of such vulnerabilities could potentially lead to bypass of security features and/or denial of service for the platform. Multiple products UEFI There is a vulnerability in the firmware. Multiple products UEFI The firmware includes OS of API From UEFI Variables 'Setup' There is a vulnerability that can be tampered with. For more information INTEL-SA-00038 Please confirm. INTEL-SA-00038 https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00038&languageid=en-frOS By a user with administrator rights UEFI May be tampered with. as a result, Secure Boot Security functions such as (DoS) There is a possibility of being attacked. UEFI, the full name of \"Unified Extensible Firmware Interface\", is a standard that describes the type interface in detail. On some systems, the operating system API can be used to override this variable, allowing local attackers to exploit the vulnerability to modify UEFI variables. Attackers with physical access to the computer running the vulnerable firmware can exploit this issue to bypass certain security restrictions and trigger denial-of-service conditions. NOTE: Very limited information is currently available regarding this issue. We will update this BID as more information emerges

Trust: 2.25

sources: CERT/CC: VU#758382 // JVNDB: JVNDB-2014-002801 // CNVD: CNVD-2014-03763 // BID: 67947

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2014-03763

AFFECTED PRODUCTS

vendor:intelmodel:nuc with intel core i5 processorscope:eqversion:0

Trust: 0.9

vendor:american megatrends incorporated amimodel: - scope: - version: -

Trust: 0.8

vendor:dell computermodel: - scope: - version: -

Trust: 0.8

vendor:insydemodel: - scope: - version: -

Trust: 0.8

vendor:intelmodel: - scope: - version: -

Trust: 0.8

vendor:lenovomodel: - scope: - version: -

Trust: 0.8

vendor:multiple vendorsmodel: - scope: - version: -

Trust: 0.8

vendor:intelmodel:enhanced protection of uefi variablesscope: - version: -

Trust: 0.6

vendor:intelmodel:nuc with intel core i3 processorscope:eqversion:0

Trust: 0.6

vendor:intelmodel:server system r1000sp familyscope:eqversion:0

Trust: 0.3

vendor:intelmodel:server system r1000rp familyscope:eqversion:0

Trust: 0.3

vendor:intelmodel:server system r1000jp familyscope:eqversion:0

Trust: 0.3

vendor:intelmodel:server system r1000gz familyscope:eqversion:0

Trust: 0.3

vendor:intelmodel:server system r1000gl familyscope:eqversion:0

Trust: 0.3

vendor:intelmodel:server system r1000ep familyscope:eqversion:0

Trust: 0.3

vendor:intelmodel:server system r1000bb familyscope:eqversion:0

Trust: 0.3

vendor:intelmodel:server system p4304btscope:eqversion:0

Trust: 0.3

vendor:intelmodel:server system p4000sc familyscope:eqversion:0

Trust: 0.3

vendor:intelmodel:server system p4000rp familyscope:eqversion:0

Trust: 0.3

vendor:intelmodel:server system p4000ip familyscope:eqversion:0

Trust: 0.3

vendor:intelmodel:server system p4000cp familyscope:eqversion:0

Trust: 0.3

vendor:intelmodel:server system h2000wp familyscope:eqversion:0

Trust: 0.3

vendor:intelmodel:server system h2000lp familyscope:eqversion:0

Trust: 0.3

vendor:intelmodel:server system h2000jf familyscope:eqversion:0

Trust: 0.3

vendor:intelmodel:server board s5520urscope:eqversion:0

Trust: 0.3

vendor:intelmodel:server board s5520hctscope:eqversion:0

Trust: 0.3

vendor:intelmodel:server board s5520hcscope:eqversion:0

Trust: 0.3

vendor:intelmodel:server board s5500wbscope:eqversion:0

Trust: 0.3

vendor:intelmodel:server board s5500hcvscope:eqversion:0

Trust: 0.3

vendor:intelmodel:server board s5500bcscope:eqversion:0

Trust: 0.3

vendor:intelmodel:server board s4600lt familyscope:eqversion:0

Trust: 0.3

vendor:intelmodel:server board s4600lh familyscope:eqversion:0

Trust: 0.3

vendor:intelmodel:server board s3420gpscope:eqversion:0

Trust: 0.3

vendor:intelmodel:server board s2600wpscope:eqversion:0

Trust: 0.3

vendor:intelmodel:server board s2600jfscope:eqversion:0

Trust: 0.3

vendor:intelmodel:server board s2600ip familyscope:eqversion:0

Trust: 0.3

vendor:intelmodel:server board s2600gzscope:eqversion:0

Trust: 0.3

vendor:intelmodel:server board s2600glscope:eqversion:0

Trust: 0.3

vendor:intelmodel:server board s2600cp familyscope:eqversion:0

Trust: 0.3

vendor:intelmodel:server board s2600co familyscope:eqversion:0

Trust: 0.3

vendor:intelmodel:server board s2400sc familyscope:eqversion:0

Trust: 0.3

vendor:intelmodel:server board s2400lp familyscope:eqversion:0

Trust: 0.3

vendor:intelmodel:server board s2400gp familyscope:eqversion:0

Trust: 0.3

vendor:intelmodel:server board s2400ep familyscope:eqversion:0

Trust: 0.3

vendor:intelmodel:server board s2400bbscope:eqversion:0

Trust: 0.3

vendor:intelmodel:server board s1600jp familyscope:eqversion:0

Trust: 0.3

vendor:intelmodel:server board s1400sp familyscope:eqversion:0

Trust: 0.3

vendor:intelmodel:server board s1400fp familyscope:eqversion:0

Trust: 0.3

vendor:intelmodel:server board s1200rpscope:eqversion:0

Trust: 0.3

vendor:intelmodel:server board s1200kpscope:eqversion:0

Trust: 0.3

vendor:intelmodel:server board s1200btscope:eqversion:0

Trust: 0.3

vendor:intelmodel:quark soc transportation reference designscope:eqversion:x10001.0.1

Trust: 0.3

vendor:intelmodel:quark soc industrial/energy reference designscope:eqversion:x10001.0.1

Trust: 0.3

vendor:intelmodel:nuc with intel celeron processorscope:eqversion:0

Trust: 0.3

vendor:intelmodel:nuc with intel atom processorscope:eqversion:0

Trust: 0.3

vendor:intelmodel:galileo board generationscope:eqversion:21.0.1

Trust: 0.3

vendor:intelmodel:galileo boardscope:eqversion:1.0.1

Trust: 0.3

sources: CERT/CC: VU#758382 // CNVD: CNVD-2014-03763 // BID: 67947 // JVNDB: JVNDB-2014-002801

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2014-2961
value: MEDIUM

Trust: 0.8

IPA: JVNDB-2014-002801
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2014-03763
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201406-740
value: MEDIUM

Trust: 0.6

NVD: CVE-2014-2961
severity: MEDIUM
baseScore: 6.0
vectorString: NONE
accessVector: LOCAL
accessComplexity: HIGH
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 1.5
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

IPA: JVNDB-2014-002801
severity: MEDIUM
baseScore: 6.0
vectorString: AV:L/AC:H/AU:S/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: HIGH
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2014-03763
severity: MEDIUM
baseScore: 6.0
vectorString: AV:L/AC:H/AU:S/C:C/I:C/A:C
accessVector: LOCAL
accessComplexity: HIGH
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 1.5
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

sources: CERT/CC: VU#758382 // CNVD: CNVD-2014-03763 // JVNDB: JVNDB-2014-002801 // CNNVD: CNNVD-201406-740

THREAT TYPE

local

Trust: 0.9

sources: BID: 67947 // CNNVD: CNNVD-201406-740

TYPE

Design Error

Trust: 0.3

sources: BID: 67947

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-002801

EXPLOIT AVAILABILITY
sources:
            
            
            CERT/CC: VU#758382

PATCH
title:Enhanced Protection of UEFI Variablesurl:https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00038&languageid=en-fr
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2014-002801

EXTERNAL IDS
db:CERT/CCid:VU#758382
Trust: 2.8
db:NVDid:CVE-2014-2961
Trust: 2.3
db:JVNid:JVNVU94501306
Trust: 1.4
db:BIDid:67947
Trust: 0.9
db:JVNDBid:JVNDB-2014-002801
Trust: 0.8
db:CNVDid:CNVD-2014-03763
Trust: 0.6
db:CNNVDid:CNNVD-201406-740
Trust: 0.6
sources:
            
            
            CERT/CC: VU#758382 // 
            
            
            
            CNVD: CNVD-2014-03763 // 
            
            
            
            BID: 67947 // 
            
            
            
            JVNDB: JVNDB-2014-002801 // 
            
            
            
            CNNVD: CNNVD-201406-740

REFERENCES
url:http://haxpo.nl/hitb2014ams-kallenberg-cornwell-kovah-butterworth/
Trust: 3.1
url:http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about
Trust: 2.5
url:http://www.kb.cert.org/vuls/id/758382
Trust: 2.0
url:https://security-center.intel.com/advisory.aspx?intelid=intel-sa-00038&languageid=en-fr
Trust: 1.7
url:http://jvn.jp/vu/jvnvu94501306/index.html
Trust: 1.4
url:https://cansecwest.com/slides/2014/allyourboot_csw14-intel-final.pdf
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-2961
Trust: 0.8
url:https://security-center.intel.com/advisory.aspx?intelid=intel-sa-00038
Trust: 0.6
sources:
            
            
            CERT/CC: VU#758382 // 
            
            
            
            CNVD: CNVD-2014-03763 // 
            
            
            
            BID: 67947 // 
            
            
            
            JVNDB: JVNDB-2014-002801 // 
            
            
            
            CNNVD: CNNVD-201406-740

CREDITS
Corey Kallenberg, Xeno Kovah, John Butterworth, and Sam Cornwell of MITRE Corporation
Trust: 0.3
sources:
            
            
            BID: 67947

SOURCES
db:CERT/CCid:VU#758382
db:CNVDid:CNVD-2014-03763
db:BIDid:67947
db:JVNDBid:JVNDB-2014-002801
db:CNNVDid:CNNVD-201406-740

LAST UPDATE DATE
2024-09-09T23:11:46.161000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#758382date:2015-02-03T00:00:00
db:CNVDid:CNVD-2014-03763date:2014-06-19T00:00:00
db:BIDid:67947date:2014-06-09T00:00:00
db:JVNDBid:JVNDB-2014-002801date:2014-06-11T00:00:00
db:CNNVDid:CNNVD-201406-740date:2015-09-17T00:00:00

SOURCES RELEASE DATE
db:CERT/CCid:VU#758382date:2014-06-09T00:00:00
db:CNVDid:CNVD-2014-03763date:2014-06-19T00:00:00
db:BIDid:67947date:2014-06-09T00:00:00
db:JVNDBid:JVNDB-2014-002801date:2014-06-11T00:00:00
db:CNNVDid:CNNVD-201406-740date:2014-06-11T00:00:00