A critical vulnerability in the U-Boot boot loader could be exploited to write arbitrary data, which can allow an attacker to root Linux-based embedded systems, according to NCC Group.
An open-source boot loader, U-Boot is used in various types of embedded systems, including ChromeOS and Android. It supports multiple architectures, including 68k, ARM, x86, MIPS, Nios, PPC, and more.
NCC Group explains that the IP defragmentation algorithm implemented in U-Boot is plagued by two vulnerabilities that can be exploited from the local network by crafting malformed packets.
Tracked as CVE-2022-30790 (CVSS score of 9.6), the first of the vulnerabilities exposes the defragmentation algorithm to a hole descriptor overwrite attack, NCC’s researchers say.
Because of this security bug, the metadata and fragment can be forged to point to the same location, which leads to the metadata being overwritten with fragmented data.
An attacker can trigger an arbitrary write by sending a second fragment, “whose offset and length only need to fit within the hole pointed to by the previously controlled metadata.”
“This bug is only exploitable from the local network as it requires crafting a malformed packet which would most likely be dropped during routing. However, this can be effectively leveraged to root Linux-based embedded devices locally,” NCC Group says.
Tracked as CVE-2022-30552 (CVSS score of 7.1), the second vulnerability is described as a buffer overflow that could lead to a denial of service (DoS).
The issue can be exploited by crafting a malformed packet that has a specific value lower than the minimum accepted total length, which would result in the called function attempting to make a copy of a greater size than the buffer can withhold.
NCC Group informed the U-Boot maintainers of the vulnerabilities on May 18. Fixes are in the works, but details on the bugs were published ahead of patch availability, given that U-Boot’s vulnerability disclosure process is handled publicly, via their mailing list.
“Update to the latest master branch version once the fix has been committed,” NCC Group notes.
Related: Intel Patches High-Severity Vulnerabilities in BIOS, Boot Guard
Related: Firmware Flaws Allow Disabling Secure Boot on Lenovo Laptops
Related: Researchers Devise New Type of Bluetooth LE Relay Attacks