Vulnerabilities > CVE-2018-12180 - Out-of-bounds Write vulnerability in multiple products

CVSS 8.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

tianocore

opensuse

CWE-787

nessus

NVD

Published: 2019-03-27

Updated: 2023-11-07

Summary

Buffer overflow in BlockIo service for EDK II may allow an unauthenticated user to potentially enable escalation of privilege, information disclosure and/or denial of service via network access.

Vulnerable Configurations

Part	Description	Count
Application	Tianocore Tianocore EDK II -	1
OS	Opensuse Opensuse Leap 15.0	1

Common Weakness Enumeration (CWE)

CWE-787 - Out-of-bounds Write

Nessus

NASL family	Oracle Linux Local Security Checks
NASL id	ORACLELINUX_ELSA-2019-0809.NASL
description	From Red Hat Security Advisory 2019:0809 : An update for ovmf is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. OVMF (Open Virtual Machine Firmware) is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM. Security Fix(es) : * edk2: Buffer Overflow in BlockIo service for RAM disk (CVE-2018-12180) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
last seen	2020-06-01
modified	2020-06-02
plugin id	124253
published	2019-04-24
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/124253
title	Oracle Linux 7 : ovmf (ELSA-2019-0809)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2019-0581-1.NASL
description	This update for ovmf fixes the following issues : Security issues fixed : CVE-2018-12180: Fixed a buffer overflow in BlockIo service, which could lead to memory read/write overrun (bsc#1127820). CVE-2018-12178: Fixed an improper DNS check upon receiving a new DNS packet (bsc#1127821). CVE-2018-3630: Fixed a logic error in FV parsing which could allow a local attacker to bypass the chain of trust checks (bsc#1127822). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	122775
published	2019-03-12
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/122775
title	SUSE SLES12 Security Update : ovmf (SUSE-SU-2019:0581-1)

NASL family	CentOS Local Security Checks
NASL id	CENTOS_RHSA-2019-0809.NASL
description	An update for ovmf is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. OVMF (Open Virtual Machine Firmware) is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM. Security Fix(es) : * edk2: Buffer Overflow in BlockIo service for RAM disk (CVE-2018-12180) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
last seen	2020-06-01
modified	2020-06-02
plugin id	124415
published	2019-05-01
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/124415
title	CentOS 7 : ovmf (CESA-2019:0809)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2019-1116.NASL
description	An update for redhat-virtualization-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. OVMF (Open Virtual Machine Firmware) is an EDK II (edk2) based project to enable UEFI support for Virtual Machines. The ovmf package contains a sample 64-bit UEFI firmware for QEMU and KVM, including the edk2 package. The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host
last seen	2020-06-01
modified	2020-06-02
plugin id	124842
published	2019-05-13
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/124842
title	RHEL 7 : Virtualization Manager (RHSA-2019:1116)

NASL family	NewStart CGSL Local Security Checks
NASL id	NEWSTART_CGSL_NS-SA-2019-0076_OVMF.NASL
description	The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has ovmf packages installed that are affected by a vulnerability: - Buffer overflow in BlockIo service for EDK II may allow an unauthenticated user to potentially enable escalation of privilege, information disclosure and/or denial of service via network access. (CVE-2018-12180) Note that Nessus has not tested for this issue but has instead relied only on the application
last seen	2020-06-01
modified	2020-06-02
plugin id	127284
published	2019-08-12
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/127284
title	NewStart CGSL CORE 5.04 / MAIN 5.04 : ovmf Vulnerability (NS-SA-2019-0076)

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-4349-1.NASL
description	A buffer overflow was discovered in the network stack. An unprivileged user could potentially enable escalation of privilege and/or denial of service. This issue was already fixed in a previous release for 18.04 LTS and 19.10. (CVE-2018-12178) A buffer overflow was discovered in BlockIo service. An unauthenticated user could potentially enable escalation of privilege, information disclosure and/or denial of service. This issue was already fixed in a previous release for 18.04 LTS and 19.10. (CVE-2018-12180) A stack overflow was discovered in bmp. An unprivileged user could potentially enable denial of service or elevation of privilege via local access. This issue was already fixed in a previous release for 18.04 LTS and 19.10. (CVE-2018-12181) It was discovered that memory was not cleared before free that could lead to potential password leak. (CVE-2019-14558) A memory leak was discovered in ArpOnFrameRcvdDpc. An attacker could possibly use this issue to cause a denial of service or other unspecified impact. (CVE-2019-14559) An integer overflow was discovered in MdeModulePkg/PiDxeS3BootScriptLib. An attacker could possibly use this issue to cause a denial of service or other unspecified impact. (CVE-2019-14563) It was discovered that the affected version doesn
last seen	2020-05-08
modified	2020-05-01
plugin id	136282
published	2020-05-01
reporter	Ubuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/136282
title	Ubuntu 16.04 LTS / 18.04 LTS / 19.10 : edk2 vulnerabilities (USN-4349-1)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2019-0809.NASL
description	An update for ovmf is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. OVMF (Open Virtual Machine Firmware) is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM. Security Fix(es) : * edk2: Buffer Overflow in BlockIo service for RAM disk (CVE-2018-12180) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
last seen	2020-06-01
modified	2020-06-02
plugin id	124255
published	2019-04-24
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/124255
title	RHEL 7 : ovmf (RHSA-2019:0809)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2019-0968.NASL
description	An update for edk2 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. EDK (Embedded Development Kit) is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM. Security Fix(es) : * edk2: Buffer Overflow in BlockIo service for RAM disk (CVE-2018-12180) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
last seen	2020-06-01
modified	2020-06-02
plugin id	124663
published	2019-05-07
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/124663
title	RHEL 8 : edk2 (RHSA-2019:0968)

NASL family	NewStart CGSL Local Security Checks
NASL id	NEWSTART_CGSL_NS-SA-2019-0083_OVMF.NASL
description	The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has ovmf packages installed that are affected by a vulnerability: - Buffer overflow in BlockIo service for EDK II may allow an unauthenticated user to potentially enable escalation of privilege, information disclosure and/or denial of service via network access. (CVE-2018-12180) Note that Nessus has not tested for this issue but has instead relied only on the application
last seen	2020-06-01
modified	2020-06-02
plugin id	127297
published	2019-08-12
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/127297
title	NewStart CGSL CORE 5.05 / MAIN 5.05 : ovmf Vulnerability (NS-SA-2019-0083)

NASL family	Amazon Linux Local Security Checks
NASL id	AL2_ALAS-2019-1273.NASL
description	Logic error in FV parsing in MdeModulePkg\Core\Pei\FwVol\FwVol.c (CVE-2018-3630) Logic issue in variable service module for EDK II/UDK2018/UDK2017/UDK2015 may allow an authenticated user to potentially enable escalation of privilege, information disclosure and/or denial of service via local access. (CVE-2017-5734) A missing check leads to an out-of-bounds read and write flaw in NetworkPkg/DnsDxe as shipped in edk2, when it parses DNS responses. A remote attacker who controls the DNS server used by the vulnerable firmware may use this flaw to make the system crash. (CVE-2018-3613) improper DNS packet size check (CVE-2018-12178) Privilege escalation via heap-based buffer overflow in Decode() function (CVE-2017-5735) Privilege escalation via heap-based buffer overflow in MakeTable() function (CVE-2017-5733) Privilege escalation via processing of malformed files in TianoCompress.c (CVE-2017-5731) Privilege escalation via processing of malformed files in BaseUefiDecompressLib.c (CVE-2017-5732) A stack-based buffer overflow was discovered in edk2 when the HII database contains a Bitmap that claims to be 4-bit or 8-bit per pixel, but the palette contains more than 16(2^4) or 256(2^8) colors. (CVE-2018-12181) Buffer overflow in BlockIo service for EDK II may allow an unauthenticated user to potentially enable escalation of privilege, information disclosure and/or denial of service via network access. (CVE-2018-12180)
last seen	2020-06-01
modified	2020-06-02
plugin id	128287
published	2019-08-28
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/128287
title	Amazon Linux 2 : edk2 (ALAS-2019-1273)

NASL family	SuSE Local Security Checks
NASL id	OPENSUSE-2019-348.NASL
description	This update for ovmf fixes the following issues : Security issues fixed : - CVE-2018-12180: Fixed a buffer overflow in BlockIo service, which could lead to memory read/write overrun (bsc#1127820). - CVE-2018-12178: Fixed an improper DNS check upon receiving a new DNS packet (bsc#1127821). - CVE-2018-3630: Fixed a logic error in FV parsing which could allow a local attacker to bypass the chain of trust checks (bsc#1127822). This update was imported from the SUSE:SLE-12-SP3:Update update project.
last seen	2020-06-01
modified	2020-06-02
plugin id	122963
published	2019-03-20
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/122963
title	openSUSE Security Update : ovmf (openSUSE-2019-348)

NASL family	SuSE Local Security Checks
NASL id	OPENSUSE-2019-1083.NASL
description	This update for ovmf fixes the following issues : Security issues fixed : - CVE-2018-12180: Fixed a buffer overflow in BlockIo service, which could lead to memory read/write overrun (bsc#1127820). - CVE-2018-12178: Fixed an improper DNS check upon receiving a new DNS packet (bsc#1127821). - CVE-2018-3630: Fixed a logic error in FV parsing which could allow a local attacker to bypass the chain of trust checks (bsc#1127822). This update was imported from the SUSE:SLE-15:Update update project.
last seen	2020-06-01
modified	2020-06-02
plugin id	123543
published	2019-04-01
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/123543
title	openSUSE Security Update : ovmf (openSUSE-2019-1083)

NASL family	Scientific Linux Local Security Checks
NASL id	SL_20190423_OVMF_ON.NASL
description	Security Fix(es) : - edk2: Buffer Overflow in BlockIo service for RAM disk (CVE-2018-12180)
last seen	2020-03-18
modified	2019-04-24
plugin id	124262
published	2019-04-24
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/124262
title	Scientific Linux Security Update : ovmf on (20190423)

NASL family	Oracle Linux Local Security Checks
NASL id	ORACLELINUX_ELSA-2019-0968.NASL
description	From Red Hat Security Advisory 2019:0968 : An update for edk2 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. EDK (Embedded Development Kit) is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM. Security Fix(es) : * edk2: Buffer Overflow in BlockIo service for RAM disk (CVE-2018-12180) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
last seen	2020-06-01
modified	2020-06-02
plugin id	127567
published	2019-08-12
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/127567
title	Oracle Linux 8 : edk2 (ELSA-2019-0968)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2019-0580-1.NASL
description	This update for ovmf fixes the following issues : Security issues fixed : CVE-2018-12180: Fixed a buffer overflow in BlockIo service, which could lead to memory read/write overrun (bsc#1127820). CVE-2018-12178: Fixed an improper DNS check upon receiving a new DNS packet (bsc#1127821). CVE-2018-3630: Fixed a logic error in FV parsing which could allow a local attacker to bypass the chain of trust checks (bsc#1127822). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	122774
published	2019-03-12
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/122774
title	SUSE SLES15 Security Update : ovmf (SUSE-SU-2019:0580-1)

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2019-3B96BB5186.NASL
description	Use YYYYMMDD versioning to fix upgrade path ---- - Update to stable-201903 - Update to openssl-1.1.0j - Move to python3 deps Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	124486
published	2019-05-02
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/124486
title	Fedora 30 : edk2 (2019-3b96bb5186)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2019-0579-1.NASL
description	This update for ovmf fixes the following issues : Security issues fixed : CVE-2018-12180: Fixed a buffer overflow in BlockIo service, which could lead to memory read/write overrun (bsc#1127820). CVE-2018-12178: Fixed an improper DNS check upon receiving a new DNS packet (bsc#1127821). CVE-2018-3630: Fixed a logic error in FV parsing which could allow a local attacker to bypass the chain of trust checks (bsc#1127822). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	122773
published	2019-03-12
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/122773
title	SUSE SLES12 Security Update : ovmf (SUSE-SU-2019:0579-1)

Redhat

advisories

bugzilla

id	1683372
title	CVE-2018-12180 edk2: Buffer Overflow in BlockIo service for RAM disk

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 7 is installed
oval oval:com.redhat.rhba:tst:20150364027

AND
comment OVMF is earlier than 0:20180508-3.gitee3198e672e2.el7_6.1
oval oval:com.redhat.rhsa:tst:20190809001
comment OVMF is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20183090002

AND

comment AAVMF is earlier than 0:20180508-3.gitee3198e672e2.el7_6.1
oval oval:com.redhat.rhsa:tst:20190809003
comment AAVMF is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20183090004

rhsa

id	RHSA-2019:0809
released	2019-04-23
severity	Important
title	RHSA-2019:0809: ovmf security update (Important)

bugzilla

id	1683372
title	CVE-2018-12180 edk2: Buffer Overflow in BlockIo service for RAM disk

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 8 is installed
oval oval:com.redhat.rhba:tst:20193384074

AND

comment edk2-ovmf is earlier than 0:20180508gitee3198e672e2-9.el8_0.1
oval oval:com.redhat.rhsa:tst:20190968001
comment edk2-ovmf is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20190968002

AND

comment edk2-aarch64 is earlier than 0:20180508gitee3198e672e2-9.el8_0.1
oval oval:com.redhat.rhsa:tst:20190968003
comment edk2-aarch64 is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20190968004

rhsa

id	RHSA-2019:0968
released	2019-05-07
severity	Important
title	RHSA-2019:0968: edk2 security update (Important)

rhsa
id RHSA-2019:1116

rpms

AAVMF-0:20180508-3.gitee3198e672e2.el7_6.1
OVMF-0:20180508-3.gitee3198e672e2.el7_6.1
edk2-aarch64-0:20180508gitee3198e672e2-9.el8_0.1
edk2-ovmf-0:20180508gitee3198e672e2-9.el8_0.1
redhat-release-virtualization-host-0:4.3-0.6.el7
redhat-virtualization-host-image-update-0:4.3-20190418.0.el7_6
redhat-virtualization-host-image-update-placeholder-0:4.3-0.6.el7

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Nessus

Redhat

References