CVE-2023-49721 — Incorrect Default Permissions in Edk2

Severity

6.7MEDIUMNVD

EPSS

0.0%

top 96.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Timeline

PublishedFeb 14

Latest updateFeb 15

Description

An insecure default to allow UEFI Shell in EDK2 was left enabled in LXD. This allows an OS-resident attacker to bypass Secure Boot.

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.8 | Impact: 5.9

▶NVDtianocore/edk22023.11-8

▶NVDcanonical/lxd5.0.0 — 5.21.0

GHSA

GHSA-4639-7gfm-29p2: An insecure default to allow UEFI Shell in EDK2 was left enabled in LXD↗2024-02-15

▶

CVEList

CVE-2023-49721: An insecure default to allow UEFI Shell in EDK2 was left enabled in LXD↗2024-02-14

▶

Debian

CVE-2023-49721: incus - An insecure default to allow UEFI Shell in EDK2 was left enabled in LXD. This al...↗2023

▶