Vulnerability Description
An insecure default to allow UEFI Shell in EDK2 was left enabled in Ubuntu's EDK2. This allows an OS-resident attacker to bypass Secure Boot.
CVSS Score
6.7
MEDIUM
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Canonical | Lxd | 5.0 |
| Tianocore | Edk2 | <= 2023.11-8 |
| Debian | Debian Linux | 10.0 |
Related Weaknesses (CWE)
References
- https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2040137Issue Tracking
- https://bugs.launchpad.net/ubuntu/+source/lxd/+bug/2040139Issue Tracking
- https://lists.debian.org/debian-lts-announce/2024/06/msg00028.htmlMailing List
- https://nvd.nist.gov/vuln/detail/CVE-2023-48733Third Party Advisory
- https://www.openwall.com/lists/oss-security/2024/02/14/4Mailing List
- https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2040137Issue Tracking
- https://bugs.launchpad.net/ubuntu/+source/lxd/+bug/2040139Issue Tracking
- https://lists.debian.org/debian-lts-announce/2024/06/msg00028.htmlMailing List
- https://nvd.nist.gov/vuln/detail/CVE-2023-48733Third Party Advisory
- https://www.openwall.com/lists/oss-security/2024/02/14/4Mailing List
FAQ
What is CVE-2023-48733?
CVE-2023-48733 is a vulnerability with a CVSS score of 6.7 (MEDIUM). An insecure default to allow UEFI Shell in EDK2 was left enabled in Ubuntu's EDK2. This allows an OS-resident attacker to bypass Secure Boot.
How severe is CVE-2023-48733?
CVE-2023-48733 has been rated MEDIUM with a CVSS base score of 6.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-48733?
Check the references section above for vendor advisories and patch information. Affected products include: Canonical Lxd, Tianocore Edk2, Debian Debian Linux.