CVE-2018-12180 : Buffer overflow in BlockIo service for EDK II may allow an unauthenticated user

Buffer overflow in BlockIo service for EDK II may allow an unauthenticated user to potentially enable escalation of privilege, information disclosure and/or denial of service via network access.

Published 2019-03-27 20:29:03

Updated 2019-10-03 00:03:26

Source Intel Corporation

View at NVD, CVE.org

Vulnerability category: OverflowMemory CorruptionDenial of serviceInformation leak

Products affected by CVE-2018-12180

Opensuse » Leap » Version: 15.0
cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
Matching versions
Tianocore » Edk Ii » Version: N/A
cpe:2.3:a:tianocore:edk_ii:-:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2018-12180

EPSS FAQ

1.22%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 77 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2018-12180

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:P	8.6	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
8.8	HIGH	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2018-12180

CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2018-12180

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ABTDKZK2G5XP6JCO3HXMPOA2NRTIYDZ/

[SECURITY] Fedora 29 Update: edk2-20190308stable-1.fc29 - package-announce - Fedora Mailing-Lists

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:1116

RHSA-2019:1116 - Security Advisory - Red Hat Customer Portal
https://access.redhat.com/errata/RHSA-2019:0968

RHSA-2019:0968 - Security Advisory - Red Hat Customer Portal
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03912en_us

HPESBHF03912 rev.2 - Certain HPE Servers with a UEFI-based BIOS, Multiple Local Vulnerabilities

CVEs referencing this url
https://edk2-docs.gitbooks.io/security-advisory/content/buffer-overflow-in-blockio-service-for-ram-disk.html

36. Buffer Overflow in BlockIo service for RAM disk · Security Advisory
Patch;Vendor Advisory
https://usn.ubuntu.com/4349-1/

USN-4349-1: EDK II vulnerabilities | Ubuntu security notices | Ubuntu

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00046.html

[security-announce] openSUSE-SU-2019:1083-1: important: Security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:0809

RHSA-2019:0809 - Security Advisory - Red Hat Customer Portal

Jump to

Vulnerability Details : CVE-2018-12180

Products affected by CVE-2018-12180

Exploit prediction scoring system (EPSS) score for CVE-2018-12180

CVSS scores for CVE-2018-12180

CWE ids for CVE-2018-12180

References for CVE-2018-12180