[Bug 2101797] Re: built-in shell still present in AAVMF secboot image

Launchpad Bug Tracker 2101797 at bugs.launchpad.net
Thu May 29 17:42:35 UTC 2025 

This bug was fixed in the package edk2 - 2024.05-2ubuntu0.3

---------------
edk2 (2024.05-2ubuntu0.3) oracular-security; urgency=medium

   * Disable the built-in Shell when SecureBoot is enabled (LP: #2101797)
   * d/tests/shell.py: Align aarch64 snakeoil tests w/ x64.
   * SECURITY UPDATE: UEFI Shell accessible in AAVMF with Secure Boot enabled
     - CVE-2025-2486

 -- Mate Kukri <mate.kukri at canonical.com>  Wed, 07 May 2025 15:51:19
+0100

** Changed in: edk2 (Ubuntu Oracular)
       Status: New => Fix Released

** Changed in: edk2 (Ubuntu Noble)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to edk2 in Ubuntu.
https://bugs.launchpad.net/bugs/2101797

Title:
  built-in shell still present in AAVMF secboot image

Status in edk2 package in Ubuntu:
  Fix Released
Status in edk2 source package in Noble:
  Fix Released
Status in edk2 source package in Oracular:
  Fix Released

Bug description:
  [ Impact ]

   * As a response to CVE-2023-48733 / LP: #2040137, we removed the UEFI
  Shell from Secure Boot OVMF images.

   * Unfortunately the AAVMF build code does not respect the flag that was used to 
     do this, and hence AAVMF remains vulnerable to Shell based Secure Boot 
     bypasses.

   * This issue is now know as CVE-2025-2486.

   * In response to CVE-2023-48733, a different patch was backported to
  Jammy and Focal, that merely disables the Shell, but does not remove
  it, which did apply to AAVMF as well, hence only Noble, Oracular, and
  Plucky are vulnerable.

   * Plucky is getting changed to fully remove the Shell from Secure
  Boot AAVMF images.

   * For Noble and Oracular the Jammy patch that disables the Shell will
  be forward ported.

  [ Test Plan ]

   * Verify that AAVMF on Noble and Oracular no longer allows launching
  the Shell with Secure Boot enabled.

  [ Where problems could occur ]

   * If someone is using the UEFI Shell with Secure Boot enabled in
  AAVMF on Noble and Oracular, their usecase will break, but
  unfortunately breaking such usecases is required to mitigate
  CVE-2025-2486.

  Preserving the original bug report below:
  ===============================================================================
  I discovered that our qemu-efi-aarch64 package (src:edk2) is still susceptible to CVE-2023-48733. That was bug 2040137. noble and oracular are vulnerable, jammy is not vulnerable, due to a different mitigation method. For jammy, we left the shell in the images, but we added code to refuse to start it if Secure Boot was enforcing. That code works for both X86 and AAVMF.

  The mitigation for noble was to build the secboot images without a
  built-in UEFI shell by setting the build flag -DBUILD_SHELL=FALSE.
  While this worked for X86 (ovmf), it turns out that the AAVMF (arm64)
  image build did not respect that flag. Upstream recently began
  respecting this flag for AAVMF builds as a side-effect of this change:

    https://github.com/tianocore/edk2/commit/cb672a8eb10ff48b385b53c5fd13e7f175efa94d

  The first upstream release containing that is edk2-stable-202502,
  which is now in plucky-proposed.

  This came to my attenion while packaging this new upstream release.
  One of the dep-8 tests started to fail - and upon investigation, I
  realized it *should* have been failing the entire time.

  The runes for this are public, but the security impact is not
  explicitly mentioned. I uploaded the new upstream to Debian last
  weekend, and I fixed the test case with a vague changelog entry:

  https://salsa.debian.org/qemu-
  team/edk2/-/commit/93a2f10eb39a94dc744da0968ac6552e41265383

  A user has since reported an issue about the Shell going away:
    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1099424
  One reading that with the right context might deduce that a previous release may suffer from this vulnerability.

  I think the easiest thing to do would be to forward port the jammy
  mitigation forward. We may want to guard it to not apply to X86,
  because users may have decided to enable SecureBoot on ovmf with a
  non-secboot image. I have updated dep-8 tests in my local tree that we
  could add as well that explicitly test that the shell is not available
  in secboot images.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2101797/+subscriptions

More information about the foundations-bugs mailing list