As BSI studies, an IT safety alert relating to a recognized vulnerability within the EDK2 NetworkPkg IP stack implementation has acquired an replace. You can examine which methods and merchandise are affected by safety holes right here at information.de.
Federal workplace for Security in Information Technology (BSI) issued an replace on May 21, 2024 to a high-risk safety gap within the EDK2 NetworkPkg IP stack implementation recognized on January 16, 2024. The safety vulnerability impacts the working system BIOS/firmware and Debian Linux merchandise, Amazon Linux 2, Red Hat Enterprise Linux, Fedora Linux, Ubuntu Linux, Oracle Linux, Dell Computer, HPE Synergy, HPE ProLiant, Dell BIOS, Lenovo Computer , Insyde UEFI Firmware, RESF Rocky Linux and Dell PowerEdge.
The newest producer suggestions for updates, workarounds and safety patches for this vulnerability may be discovered right here: Red Hat Security Advisory RHSA-2024:3017 (From 22 May 2024). Some helpful assets are listed later on this article.
Multiple vulnerabilities of EDK2 NetworkPkg IP stack utilization – Risk: excessive
Risk degree: 4 (excessive)
CVSS Base Score: 8.3
CVSS provisional rating: 7,2
Remote management: Ja
The Common Vulnerability Scoring System (CVSS) is used to evaluate the severity of safety vulnerabilities in laptop methods. The CVSS customary makes it doable to match potential or precise safety dangers based mostly on varied standards to create a precedence checklist for countermeasures. The attributes “none”, “low”, “medium”, “excessive” and “extreme” are used to find out the severity ranges of the vulnerability. The Base Score evaluates the necessities of an assault (together with authentication, complexity, privileges, person interplay) and its outcomes. Temporary scores additionally bear in mind modifications over time within the threat scenario. According to CVSS, the present vulnerability is assessed as “excessive” with a base rating of 8.3.
EDK2 NetworkPkg IP stack implementation bug: vulnerability and CVE numbers
InsydeH2O UEFI BIOS is a proprietary, licensed UEFI BIOS firmware that helps Intel and AMD based mostly computer systems.
An attacker from a close-by community or a distant, unknown attacker can exploit a number of vulnerabilities within the implementation of the EDK2 NetworkPkg IP stack to execute malicious code, expose delicate info, and trigger a denial of service.
Vulnerabilities are categorized utilizing the CVE (Common Vulnerabilities and Exposures) reference system utilizing particular person serial numbers. CVE-2023-45229, CVE-2023-45230, CVE-2023-45231, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234, CVE-2023-3-455232VE-2023-45237.
Systems affected by the safety hole at a look
plans
BIOS/Firmware
Products
Debian Linux (cpe:/o:debian:debian_linux)
Amazon Linux 2 (cpe:/o:amazon:linux_2)
Red Hat Enterprise Linux (cpe:/o:redhat:enterprise_linux)
Fedora Linux (cpe:/o:fedoraproject:fedora)
Ubuntu Linux (cpe:/o:canonical:ubuntu_linux)
Oracle Linux (cpe:/o:oracle:linux)
Dell Computer (cpe:/o:dell:dell_computer)
HPE Synergy (cpe:/h:hpe:synergy)
HPE ProLiant (cpe:/h:hp:proliant)
Dell BIOS (cpe:/h:dell:bios)
Lenovo Computer (cpe:/h:lenovo:laptop)
Insyde UEFI Firmware Kernel Insyde UEFI Firmware Kernel Insyde UEFI Firmware Kernel Insyde UEFI Firmware Kernel Insyde UEFI Firmware Kernel RESF Rocky Linux (cpe:/o:resf:rocky_linux)
Dell PowerEdge T30 Dell PowerEdge T40 Dell BIOS (cpe:/h:dell:bios)
General suggestions for addressing IT safety gaps
- Users of affected methods ought to keep up-to-date. When safety holes are recognized, producers are required to repair them rapidly by creating a patch or workaround. If safety patches can be found, set up them instantly.
- For info, see the sources listed within the subsequent part. This usually comprises further details about the newest model of the software program in query and the provision of safety patches or efficiency ideas.
- If you may have any additional questions or uncertainties, please contact your accountable administrator. IT safety managers ought to commonly verify if IT safety alert Affected producers present a brand new safety replace.
Manufacturer details about updates, patches and workarounds
Here you will see some hyperlinks with details about bug studies, safety fixes and workarounds.
Red Hat Security Advisory RHSA-2024:3017 vom 2024-05-22 (21.05.2024)
For extra info, see:
Red Hat Security Advisory RHSA-2024:2264 vom 2024-04-30 (29.04.2024)
For extra info, see:
Oracle Linux Security Advisory ELSA-2024-12343 vom 2024-04-25 (24.04.2024)
For extra info, see:
Oracle Linux Security Advisory ELSA-2024-20865 vom 2024-04-25 (24.04.2024)
For extra info, see:
Dell Security Advisory DSA-2023-344 vom 2024-04-18 (17.04.2024)
For extra info, see:
Red Hat Security Advisory RHSA-2024:1722 vom 2024-04-09 (09.04.2024)
For extra info, see:
HPE Security Bulletin HPESBHF04593 rev.1 vom 2024-04-03 (03.04.2024)
For extra info, see:
Red Hat Security Advisory RHSA-2024:1415 vom 2024-03-19 (19.03.2024)
For extra info, see:
Rocky Linux Security Advisory RLSA-2024:1063 vom 2024-03-12 (12.03.2024)
For extra info, see:
Red Hat Security Advisory RHSA-2024:1305 vom 2024-03-13 (12.03.2024)
For extra info, see:
Oracle Linux Security Advisory ELSA-2024-1075 vom 2024-03-08 (10.03.2024)
For extra info, see:
Oracle Linux Security Advisory ELSA-2024-1063 vom 2024-03-06 (06.03.2024)
For extra info, see:
Amazon Linux Security Advisory ALAS-2024-2483 vom 2024-03-05 (04.03.2024)
For extra info, see:
Red Hat Security Advisory RHSA-2024:1076 vom 2024-03-05 (04.03.2024)
For extra info, see:
Red Hat Security Advisory RHSA-2024:1075 vom 2024-03-05 (04.03.2024)
For extra info, see:
Red Hat Security Advisory RHSA-2024:1077 vom 2024-03-05 (04.03.2024)
For extra info, see:
Red Hat Security Advisory RHSA-2024:1063 vom 2024-03-04 (03.03.2024)
For extra info, see:
Red Hat Security Advisory RHSA-2024:1013 vom 2024-02-28 (27.02.2024)
For extra info, see:
Fedora Security Advisory FEDORA-2024-A9DEAD34C5 vom 2024-02-26 (26.02.2024)
For extra info, see:
Red Hat Security Advisory RHSA-2024:1004 vom 2024-02-27 (26.02.2024)
For extra info, see:
Dell Security Advisory DSA-2024-080 vom 2024-02-21 (20.02.2024)
For extra info, see:
Ubuntu Security Notice USN-6638-1 vom 2024-02-15 (14.02.2024)
For extra info, see:
Debian Security Advisory DSA-5624 vom 2024-02-14 (14.02.2024)
For extra info, see:
Lenovo Security Advisory LEN-150692 from 2024-02-14 (14.02.2024)
For extra info, see:
Dell Security Advisory DSA-2023-384 vom 2024-01-31 (30.01.2024)
For extra info, see:
Titancore GitHub vom 2024-01-16 (16.01.2024)
For extra info, see:
Insyde Security Advisory 2023066 vom 2024-01-16 (16.01.2024)
For extra info, see:
Quarkslab weblog from 2024-01-16 (16.01.2024)
For extra info, see:
Version historical past of this safety alert
This is model 18 of this IT safety discover for the EDK2 NetworkPkg IP stack implementation. If additional updates are introduced, this doc might be up to date. You can see the modifications made utilizing the model historical past under.
January 16, 2024 – First model
01/30/2024 – New updates from Dell added
02/14/2024 – New updates from LENOVO, Debian and Ubuntu added
02/20/2024 – New updates from Dell added
02/26/2024 – New updates from Fedora added
02/27/2024 – New updates from Red Hat have been added
03/03/2024 – New updates from Red Hat have been added
03/04/2024 – New updates from Red Hat and Amazon have been added
03/06/2024 – New Oracle Linux updates added
03/10/2024 – New Oracle Linux updates added
03/12/2024 – New updates from the Rocky Enterprise Software Foundation have been added
03/19/2024 – New updates from Red Hat have been added
April 3, 2024 – New updates from HP added
04/09/2024 – New updates from Red Hat have been added
April 17, 2024 – Added new updates from Dell
April 24, 2024 – New updates for Oracle Linux have been added
April 29, 2024 – New updates from Red Hat have been added
May 21, 2024 – New updates from Red Hat added
+++ Editorial word: This doc relies on present BSI information and might be up to date in a data-driven method relying on the standing of the alert. We welcome suggestions and feedback at [email protected]. +++
comply with News.de you’re right here Facebook, Twitter, Pinterest once more YouTube? Here you will see scorching information, present movies and a direct line to the editorial staff.
kns/roj/information.de