Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Critical U-Boot Vulnerability Allows Rooting of Embedded Systems

A critical vulnerability in the U-Boot boot loader could be exploited to write arbitrary data, which can allow an attacker to root Linux-based embedded systems, according to NCC Group.

A critical vulnerability in the U-Boot boot loader could be exploited to write arbitrary data, which can allow an attacker to root Linux-based embedded systems, according to NCC Group.

An open-source boot loader, U-Boot is used in various types of embedded systems, including ChromeOS and Android. It supports multiple architectures, including 68k, ARM, x86, MIPS, Nios, PPC, and more.

NCC Group explains that the IP defragmentation algorithm implemented in U-Boot is plagued by two vulnerabilities that can be exploited from the local network by crafting malformed packets.

Tracked as CVE-2022-30790 (CVSS score of 9.6), the first of the vulnerabilities exposes the defragmentation algorithm to a hole descriptor overwrite attack, NCC’s researchers say.

Because of this security bug, the metadata and fragment can be forged to point to the same location, which leads to the metadata being overwritten with fragmented data.

An attacker can trigger an arbitrary write by sending a second fragment, “whose offset and length only need to fit within the hole pointed to by the previously controlled metadata.”

“This bug is only exploitable from the local network as it requires crafting a malformed packet which would most likely be dropped during routing. However, this can be effectively leveraged to root Linux-based embedded devices locally,” NCC Group says.

Tracked as CVE-2022-30552 (CVSS score of 7.1), the second vulnerability is described as a buffer overflow that could lead to a denial of service (DoS).

Advertisement. Scroll to continue reading.

The issue can be exploited by crafting a malformed packet that has a specific value lower than the minimum accepted total length, which would result in the called function attempting to make a copy of a greater size than the buffer can withhold.

NCC Group informed the U-Boot maintainers of the vulnerabilities on May 18. Fixes are in the works, but details on the bugs were published ahead of patch availability, given that U-Boot’s vulnerability disclosure process is handled publicly, via their mailing list.

“Update to the latest master branch version once the fix has been committed,” NCC Group notes.

Related: Intel Patches High-Severity Vulnerabilities in BIOS, Boot Guard

Related: Firmware Flaws Allow Disabling Secure Boot on Lenovo Laptops

Related: Researchers Devise New Type of Bluetooth LE Relay Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.