The code analysis platform provider Semmle has publicly disclosed 13 vulnerabilities in the open-source universal boot loader Das U-Boot.

Courtesy J.B. Spector/Museum
of Science and Industry, Chicago

The issues, which can lead to remote code execution, are exploitable when U-Boot is configured to use networking and NFS, said Semmle CSO Fermín Serna, who discovered the fault. He noted U-Boot can be found in this state during development or under diskless configurations, but far less infrequently in “final consumer devices using U-Boot.”

Semmle made the disclosure at the request of U-Boot maintainer Tom Rini and also issued a temporary, but not fully tested, patch.

The vulnerabilities in question are covered under: CVE-2019-14192, CVE-2019-14193, CVE-2019-14194, CVE-2019-14195, CVE-2019-14196, CVE-2019-14197, CVE-2019-14198, CVE-2019-14199, CVE-2019-14200, CVE-2019-14201, CVE-2019-14202, CVE-2019-14203 and CVE-2019-14204.

“Through these vulnerabilities, an attacker in the same network (or controlling a malicious NFS server) could execute code on the U-Boot powered device. Due to the nature of this vulnerability, exploitation does not seem extremely complicated, although it could be made more challenging by using stack cookies, ASLR, or other memory protection runtime and compile time mitigations,” Serna said.

The issue was discovered on May 15, 2019. Semmle contacted U-Boot maintainers on May 23 after the investigation concluded and received a confirmation from Rini the following day. Public disclosure took place on July 22.