An update for edk2 is now available for openEuler-20.03-LTS-SP4 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-1193 Final 1.0 1.0 2025-02-28 Initial 2025-02-28 2025-02-28 openEuler SA Tool V1.0 2025-02-28 edk2 security update An update for edk2 is now available for openEuler-20.03-LTS-SP4 EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and PI specifications. Security Fix(es): Issue summary: A timing side-channel which could potentially allow recovering the private key exists in the ECDSA signature computation. Impact summary: A timing side-channel in ECDSA signature computations could allow recovering the private key by an attacker. However, measuring the timing would require either local access to the signing application or a very fast network connection with low latency. There is a timing signal of around 300 nanoseconds when the top word of the inverted ECDSA nonce value is zero. This can happen with significant probability only for some of the supported elliptic curves. In particular the NIST P-521 curve is affected. To be able to measure this leak, the attacker process must either be located in the same physical computer or must have a very fast network connection with low latency. For that reason the severity of this vulnerability is Low.(CVE-2024-13176) Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause memory to be accessed that was previously freed in some situations Impact summary: A use after free can have a range of potential consequences such as the corruption of valid data, crashes or execution of arbitrary code. However, only applications that directly call the SSL_free_buffers function are affected by this issue. Applications that do not call this function are not vulnerable. Our investigations indicate that this function is rarely used by applications. The SSL_free_buffers function is used to free the internal OpenSSL buffer used when processing an incoming record from the network. The call is only expected to succeed if the buffer is not currently in use. However, two scenarios have been identified where the buffer is freed even when still in use. The first scenario occurs where a record header has been received from the network and processed by OpenSSL, but the full record body has not yet arrived. In this case calling SSL_free_buffers will succeed even though a record has only been partially processed and the buffer is still in use. The second scenario occurs where a full record containing application data has been received and processed by OpenSSL but the application has only read part of this data. Again a call to SSL_free_buffers will succeed even though the buffer is still in use. While these scenarios could occur accidentally during normal operation a malicious attacker could attempt to engineer a stituation where this occurs. We are not aware of this issue being actively exploited. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.(CVE-2024-4741) An update for edk2 is now available for openEuler-20.03-LTS-SP4. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High edk2 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1193 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-13176 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-4741 https://nvd.nist.gov/vuln/detail/CVE-2024-13176 https://nvd.nist.gov/vuln/detail/CVE-2024-4741 openEuler-20.03-LTS-SP4 edk2-202002-27.oe2003sp4.src.rpm edk2-aarch64-202002-27.oe2003sp4.noarch.rpm edk2-help-202002-27.oe2003sp4.noarch.rpm edk2-ovmf-202002-27.oe2003sp4.noarch.rpm python3-edk2-devel-202002-27.oe2003sp4.noarch.rpm edk2-debuginfo-202002-27.oe2003sp4.aarch64.rpm edk2-debugsource-202002-27.oe2003sp4.aarch64.rpm edk2-devel-202002-27.oe2003sp4.aarch64.rpm edk2-debuginfo-202002-27.oe2003sp4.x86_64.rpm edk2-debugsource-202002-27.oe2003sp4.x86_64.rpm edk2-devel-202002-27.oe2003sp4.x86_64.rpm Issue summary: A timing side-channel which could potentially allow recovering the private key exists in the ECDSA signature computation. Impact summary: A timing side-channel in ECDSA signature computations could allow recovering the private key by an attacker. However, measuring the timing would require either local access to the signing application or a very fast network connection with low latency. There is a timing signal of around 300 nanoseconds when the top word of the inverted ECDSA nonce value is zero. This can happen with significant probability only for some of the supported elliptic curves. In particular the NIST P-521 curve is affected. To be able to measure this leak, the attacker process must either be located in the same physical computer or must have a very fast network connection with low latency. For that reason the severity of this vulnerability is Low. 2025-02-28 CVE-2024-13176 openEuler-20.03-LTS-SP4 Medium 4.1 AV:P/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L edk2 security update 2025-02-28 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1193 Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause memory to be accessed that was previously freed in some situations Impact summary: A use after free can have a range of potential consequences such as the corruption of valid data, crashes or execution of arbitrary code. However, only applications that directly call the SSL_free_buffers function are affected by this issue. Applications that do not call this function are not vulnerable. Our investigations indicate that this function is rarely used by applications. The SSL_free_buffers function is used to free the internal OpenSSL buffer used when processing an incoming record from the network. The call is only expected to succeed if the buffer is not currently in use. However, two scenarios have been identified where the buffer is freed even when still in use. The first scenario occurs where a record header has been received from the network and processed by OpenSSL, but the full record body has not yet arrived. In this case calling SSL_free_buffers will succeed even though a record has only been partially processed and the buffer is still in use. The second scenario occurs where a full record containing application data has been received and processed by OpenSSL but the application has only read part of this data. Again a call to SSL_free_buffers will succeed even though the buffer is still in use. While these scenarios could occur accidentally during normal operation a malicious attacker could attempt to engineer a stituation where this occurs. We are not aware of this issue being actively exploited. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. 2025-02-28 CVE-2024-4741 openEuler-20.03-LTS-SP4 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H edk2 security update 2025-02-28 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1193