CVE-2023-39950
CVSS 3.1 Score 5.2 of 10 (medium)
Details
Summary
CVE-2023-39950 is a vulnerability affecting the efibootguard UEFI boot loader. The issue arises from insufficient validation and sanitization of input from untrustworthy bootloader environment files, potentially leading to crashes and code injections. Specifically, manipulated environment variables in `bg_setenv` or programs using `libebgenv` can cause these issues. The `bg_printenv` component may also experience crashes or report invalid results due to invalid read accesses. EFI Boot Guard's bootloader EFI binary remains unaffected. Release v0.15 includes necessary patches to sanitize and validate the bootloader environment. Users must update the library, tools, and statically-linked programs. No update of the bootloader EFI executable is required. The only preventive measure for unpatched EFI Boot Guard versions is to avoid modifying user variables.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Affected Vendors
- Siemens AG