Network Security

13 vulnerabilities disclosed in U-Boot loader

The code analysis platform provider Semmle has publicly disclosed 13 vulnerabilities in the open-source universal boot loader Das U-Boot.

Courtesy J.B. Spector/Museum of Science and Industry, Chicago
Courtesy J.B. Spector/Museum
of Science and Industry, Chicago

The issues, which can lead to remote code execution, are exploitable when U-Boot is configured to use networking and NFS, said Semmle CSO Fermín Serna, who discovered the fault. He noted U-Boot can be found in this state during development or under diskless configurations, but far less infrequently in "final consumer devices using U-Boot."

Semmle made the disclosure at the request of U-Boot maintainer Tom Rini and also issued a temporary, but not fully tested, patch.

The vulnerabilities in question are covered under: CVE-2019-14192, CVE-2019-14193, CVE-2019-14194, CVE-2019-14195, CVE-2019-14196, CVE-2019-14197, CVE-2019-14198, CVE-2019-14199, CVE-2019-14200, CVE-2019-14201, CVE-2019-14202, CVE-2019-14203 and CVE-2019-14204.

“Through these vulnerabilities, an attacker in the same network (or controlling a malicious NFS server) could execute code on the U-Boot powered device. Due to the nature of this vulnerability, exploitation does not seem extremely complicated, although it could be made more challenging by using stack cookies, ASLR, or other memory protection runtime and compile time mitigations,” Serna said.

The issue was discovered on May 15, 2019. Semmle contacted U-Boot maintainers on May 23 after the investigation concluded and received a confirmation from Rini the following day. Public disclosure took place on July 22.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.