all InfoSec news logo
all InfoSec news - Your InfoSec news aggregator
Log in Sign up
all InfoSec news

VU#811862: Image files in UEFI can be abused to modify boot behavior

Add to bookmarks
Dec. 6, 2023, 6:59 p.m. |

CERT Recently Published Vulnerability Notes kb.cert.org

Overview


Implementation of Unified Extensible Firmware Interface (UEFI) by Vendors provide a way to customize logo image displayed during the early boot phase. Binarly has uncovered vulnerabilities in the image parsing libraries that provide this capability. An attacker with local privileged access can exploit these vulnerability to modify UEFI settings.


Description


UEFI firmware provides an extensible interface between an operating system and hardware platform. UEFI software stores a number of settings and files in a customized Extensible Firmware Interface (EFI) …

access attacker binarly boot exploit files firmware image implementation interface libraries local logo parsing privileged privileged access uefi uncovered vendors vulnerabilities vulnerability

Visit resource

More from kb.cert.org / CERT Recently Published Vulnerability Notes

VU#163057: BMC software fails to validate IPMI session. 1 day, 11 hours ago | kb.cert.org
abuse access attacker baseboard management controller +17
VU#238194: R Programming Language implementations are vulnerable to arbitrary code execution during deserialization of .rds … 2 days, 10 hours ago | kb.cert.org
arbitrary code arbitrary code execution attacker can +15
VU#253266: Keras 2 Lambda Layers Allow Arbitrary Code Injection in TensorFlow Models 2 weeks, 1 day ago | kb.cert.org
application arbitrary code attacker attackers +14
VU#123335: Multiple Programming Languages Fail to Escape Arguments Properly in Microsoft Windows 3 weeks ago | kb.cert.org
arbitrary code attackers cases code +15
VU#155143: Linux kernel on Intel systems is susceptible to Spectre v2 attacks 3 weeks, 1 day ago | kb.cert.org
architectures attacker attacks bhi +20
VU#421644: HTTP/2 CONTINUATION frames can be utilized for DoS attacks 4 weeks ago | kb.cert.org
attacks can dos fragments +6
VU#417980: UDP-based, application-layer protocol implementations are vulnerable to network loops 1 month, 1 week ago | kb.cert.org
abuse application applications attacker +18
VU#488902: CPU hardware utilizing speculative execution may be vulnerable to speculative race conditions 1 month, 2 weeks ago | kb.cert.org
architectures attacker can conditions +13
VU#949046: Sceiner firmware locks and associated devices are vulnerable to encryption downgrade and arbitrary file … 1 month, 3 weeks ago | kb.cert.org
app attacks bluetooth called +11

Jobs in InfoSec / Cybersecurity

Post a job on infosec-jobs.com Find talent on infosec-jobs.com

Social Engineer For Reverse Engineering Exploit Study

@ Independent study | Remote
View on infosec-jobs.com

Senior Software Engineer, Security

@ Niantic | Zürich, Switzerland
View on infosec-jobs.com

Consultant expert en sécurité des systèmes industriels (H/F)

@ Devoteam | Levallois-Perret, France
View on infosec-jobs.com

Cybersecurity Analyst

@ Bally's | Providence, Rhode Island, United States
View on infosec-jobs.com

Digital Trust Cyber Defense Executive

@ KPMG India | Gurgaon, Haryana, India
View on infosec-jobs.com

Program Manager - Cybersecurity Assessment Services

@ TestPros | Remote (and DMV), DC
View on infosec-jobs.com
View more jobs