CVE-2023-49721

NameCVE-2023-49721
DescriptionAn insecure default to allow UEFI Shell in EDK2 was left enabled in LXD. This allows an OS-resident attacker to bypass Secure Boot.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
incus (PTS)sid, trixie6.0.3-1fixed
lxd (PTS)bookworm5.0.2-5fixed
sid, trixie5.0.2+git20231211.1364ae4-7fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
incussource(unstable)(not affected)
lxdsource(unstable)(not affected)

Notes

- lxd <not-affected> (Debian uses OVMF as packaged/fixed in the EDK2 package)
- incus <not-affected> (Debian uses OVMF as packaged/fixed in the EDK2 package)
https://www.openwall.com/lists/oss-security/2024/02/14/4
https://bugs.launchpad.net/ubuntu/+source/lxd/+bug/2040139

Search for package or bug name: Reporting problems