A critical vulnerability in the U-Boot boot loader could be exploited to write arbitrary data, which can allow an attacker to root Linux-based embedded systems, according to NCC Group.
An open-source boot loader, U-Boot is used in various types of embedded systems, including ChromeOS and Android. It supports multiple architectures, including 68k, ARM, x86, MIPS, Nios, PPC, and more.
NCC Group explains that the IP defragmentation algorithm implemented in U-Boot is plagued by two vulnerabilities that can be exploited from the local network by crafting malformed packets.
Tracked as CVE-2022-30790 (CVSS score of 9.6), the first of the vulnerabilities exposes the defragmentation algorithm to a hole descriptor overwrite attack, NCC’s researchers say.
Because of this security bug, the metadata and fragment can be forged to point to the same location, which leads to the metadata being overwritten with fragmented data.
An attacker can trigger an arbitrary write by sending a second fragment, “whose offset and length only need to fit within the hole pointed to by the previously controlled metadata.”
“This bug is only exploitable from the local network as it requires crafting a malformed packet which would most likely be dropped during routing. However, this can be effectively leveraged to root Linux-based embedded devices locally,” NCC Group says.
Tracked as CVE-2022-30552 (CVSS score of 7.1), the second vulnerability is described as a buffer overflow that could lead to a denial of service (DoS).
The issue can be exploited by crafting a malformed packet that has a specific value lower than the minimum accepted total length, which would result in the called function attempting to make a copy of a greater size than the buffer can withhold.
NCC Group informed the U-Boot maintainers of the vulnerabilities on May 18. Fixes are in the works, but details on the bugs were published ahead of patch availability, given that U-Boot’s vulnerability disclosure process is handled publicly, via their mailing list.
“Update to the latest master branch version once the fix has been committed,” NCC Group notes.
Related: Intel Patches High-Severity Vulnerabilities in BIOS, Boot Guard
Related: Firmware Flaws Allow Disabling Secure Boot on Lenovo Laptops
Related: Researchers Devise New Type of Bluetooth LE Relay Attacks
More from Ionut Arghire
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Atlassian Warns of Critical Jira Service Management Vulnerability
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- Google Shells Out $600,000 for OSS-Fuzz Project Integrations
- F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution
- Flaw in Cisco Industrial Appliances Allows Malicious Code to Persist Across Reboots
- HeadCrab Botnet Ensnares 1,200 Redis Servers for Cryptomining
- Malicious NPM, PyPI Packages Stealing User Information
Latest News
- Fraudulent “CryptoRom” Apps Slip Through Apple and Google App Store Review Process
- US Downs Chinese Balloon Off Carolina Coast
- Microsoft: Iran Unit Behind Charlie Hebdo Hack-and-Leak Op
- Feds Say Cyberattack Caused Suicide Helpline’s Outage
- Big China Spy Balloon Moving East Over US, Pentagon Says
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
