CVE-2023-49721

NameCVE-2023-49721
DescriptionAn insecure default to allow UEFI Shell in EDK2 was left enabled in LXD. This allows an OS-resident attacker to bypass Secure Boot.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
incus (PTS)trixie0.6-1fixed
sid6.0.0-1fixed
lxd (PTS)bookworm5.0.2-5fixed
trixie5.0.2+git20231211.1364ae4-3fixed
sid5.0.2+git20231211.1364ae4-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
incussource(unstable)(not affected)
lxdsource(unstable)(not affected)

Notes

- lxd <not-affected> (Debian uses OVMF as packaged/fixed in the EDK2 package)
- incus <not-affected> (Debian uses OVMF as packaged/fixed in the EDK2 package)
https://www.openwall.com/lists/oss-security/2024/02/14/4
https://bugs.launchpad.net/ubuntu/+source/lxd/+bug/2040139

Search for package or bug name: Reporting problems