Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Critical U-Boot Vulnerability Allows Rooting of Embedded Systems

A critical vulnerability in the U-Boot boot loader could be exploited to write arbitrary data, which can allow an attacker to root Linux-based embedded systems, according to NCC Group.

A critical vulnerability in the U-Boot boot loader could be exploited to write arbitrary data, which can allow an attacker to root Linux-based embedded systems, according to NCC Group.

An open-source boot loader, U-Boot is used in various types of embedded systems, including ChromeOS and Android. It supports multiple architectures, including 68k, ARM, x86, MIPS, Nios, PPC, and more.

NCC Group explains that the IP defragmentation algorithm implemented in U-Boot is plagued by two vulnerabilities that can be exploited from the local network by crafting malformed packets.

Tracked as CVE-2022-30790 (CVSS score of 9.6), the first of the vulnerabilities exposes the defragmentation algorithm to a hole descriptor overwrite attack, NCC’s researchers say.

Because of this security bug, the metadata and fragment can be forged to point to the same location, which leads to the metadata being overwritten with fragmented data.

An attacker can trigger an arbitrary write by sending a second fragment, “whose offset and length only need to fit within the hole pointed to by the previously controlled metadata.”

“This bug is only exploitable from the local network as it requires crafting a malformed packet which would most likely be dropped during routing. However, this can be effectively leveraged to root Linux-based embedded devices locally,” NCC Group says.

Tracked as CVE-2022-30552 (CVSS score of 7.1), the second vulnerability is described as a buffer overflow that could lead to a denial of service (DoS).

The issue can be exploited by crafting a malformed packet that has a specific value lower than the minimum accepted total length, which would result in the called function attempting to make a copy of a greater size than the buffer can withhold.

NCC Group informed the U-Boot maintainers of the vulnerabilities on May 18. Fixes are in the works, but details on the bugs were published ahead of patch availability, given that U-Boot’s vulnerability disclosure process is handled publicly, via their mailing list.

“Update to the latest master branch version once the fix has been committed,” NCC Group notes.

Related: Intel Patches High-Severity Vulnerabilities in BIOS, Boot Guard

Related: Firmware Flaws Allow Disabling Secure Boot on Lenovo Laptops

Related: Researchers Devise New Type of Bluetooth LE Relay Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.