Vulnerability Description
An insecure default to allow UEFI Shell in EDK2 was left enabled in LXD. This allows an OS-resident attacker to bypass Secure Boot.
CVSS Score
6.7
MEDIUM
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Canonical | Lxd | >= 5.0.0, < 5.21.0 |
| Tianocore | Edk2 | <= 2023.11-8 |
Related Weaknesses (CWE)
References
- https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2040137Issue Tracking
- https://bugs.launchpad.net/ubuntu/+source/lxd/+bug/2040139Issue Tracking
- https://nvd.nist.gov/vuln/detail/CVE-2023-48733Third Party Advisory
- https://www.openwall.com/lists/oss-security/2024/02/14/4Mailing List
- https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2040137Issue Tracking
- https://bugs.launchpad.net/ubuntu/+source/lxd/+bug/2040139Issue Tracking
- https://nvd.nist.gov/vuln/detail/CVE-2023-48733Third Party Advisory
- https://www.openwall.com/lists/oss-security/2024/02/14/4Mailing List
FAQ
What is CVE-2023-49721?
CVE-2023-49721 is a vulnerability with a CVSS score of 6.7 (MEDIUM). An insecure default to allow UEFI Shell in EDK2 was left enabled in LXD. This allows an OS-resident attacker to bypass Secure Boot.
How severe is CVE-2023-49721?
CVE-2023-49721 has been rated MEDIUM with a CVSS base score of 6.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-49721?
Check the references section above for vendor advisories and patch information. Affected products include: Canonical Lxd, Tianocore Edk2.