CVE-2022-36764: 
NixOS vulnerability analysis and mitigation

EDK2 contains a vulnerability in the Tcg2MeasurePeImage() function that allows a user to trigger a heap buffer overflow via a local network. The vulnerability was assigned CVE-2022-36764 and was publicly disclosed on January 9, 2024. The vulnerability affects EDK2 versions up to and including 202311. This vulnerability has been rated as High severity with a CVSS v3.1 base score of 7.8 (NVD).

The vulnerability stems from an integer overflow that can occur when calculating the EventSize variable at line 420 in SecurityPkg/Library/DxeTpm2MeasureBootLib/DxeTpm2MeasureBootLib.c. The function Tcg2MeasurePeImage() receives untrusted input and calls GetDevicePathSize() to get the size of the FilePath. The issue arises because no checks are performed on EventSize between the GetDevicePathSize() call and the allocation, allowing for a potential overflow. This can result in AllocateZeroPool() returning a very small allocation for a very large FilePathSize (GitHub Advisory).

The successful exploitation of this vulnerability could lead to a compromise of confidentiality, integrity, and availability. An attacker could achieve arbitrary code execution in the DXE phase through various methods: corrupting PREV-NEXT pointers of heap objects for unlink() attacks, overwriting UEFI application code (as all memory is RWX by default), or manipulating pointers from the BootServices table (GitHub Advisory).

Patch files were made available through the TianoCore bugzilla (Bug ID 4118) and were integrated into the February 2024 EDK2 release. Various distributions have released security updates to address this vulnerability, including Fedora and Ubuntu. Ubuntu has fixed this in versions 2023.05-2ubuntu0.1 for 23.10 (mantic), 2022.02-3ubuntu0.22.04.2 for 22.04 LTS (jammy), and 0~20191122.bd85bf54-2ubuntu3.5 for 20.04 LTS (focal) (Ubuntu Security).