The code
analysis platform provider Semmle has publicly disclosed 13 vulnerabilities in
the open-source universal boot loader Das U-Boot.
of Science and Industry, Chicago
The issues, which can lead to remote code execution, are exploitable when U-Boot is configured to use networking and NFS, said Semmle CSO Fermín Serna, who discovered the fault. He noted U-Boot can be found in this state during development or under diskless configurations, but far less infrequently in “final consumer devices using U-Boot.”
Semmle made
the disclosure at the request of U-Boot maintainer Tom Rini and also issued a
temporary, but not fully tested, patch.
The vulnerabilities
in question are covered under: CVE-2019-14192, CVE-2019-14193, CVE-2019-14194,
CVE-2019-14195, CVE-2019-14196, CVE-2019-14197, CVE-2019-14198, CVE-2019-14199,
CVE-2019-14200, CVE-2019-14201, CVE-2019-14202, CVE-2019-14203 and
CVE-2019-14204.
“Through
these vulnerabilities, an attacker in the same network (or controlling a malicious
NFS server) could execute code on the U-Boot powered device. Due to the nature
of this vulnerability, exploitation does not seem extremely complicated,
although it could be made more challenging by using stack cookies, ASLR, or
other memory protection runtime and compile time mitigations,” Serna said.
The issue was discovered on May 15, 2019. Semmle contacted U-Boot maintainers on May 23 after the investigation concluded and received a confirmation from Rini the following day. Public disclosure took place on July 22.
Gloss