30. EDK II Authenticated Variable Bypass

Description:

Logic error in MdeModulePkg in EDK II firmware may allow authenticated user to potentially bypass configuration access controls and escalate privileges via local access.

Impact

Elevation of Privilege

Severity

Medium 6.7 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Recommendation:

This address the following issue in Tianocore Bugzilla:
https://bugzilla.tianocore.org/show_bug.cgi?id=415

Patch to update firmware is:
https://bugzilla.tianocore.org/attachment.cgi?id=44

Acknowledgments:

This issue was discovered by Intel.

References:

CVE-2018-3613