"Critical U-Boot Vulnerability Allows Rooting of Embedded Systems"

Security researchers at NCC Group have discovered a critical vulnerability in the U-Boot boot loader.  An open-source boot loader, U-Boot is used in various types of embedded systems, including ChromeOS and Android.  It supports multiple architectures, including 68k, ARM, x86, MIPS, Nios, PPC, and more.  The researchers stated that the IP defragmentation algorithm implemented in U-Boot is plagued by two vulnerabilities that can be exploited from the local network by crafting malformed packets.  The first vulnerability, CVE-2022-30790 (CVSS score of 9.6), exposes the defragmentation algorithm to a hole descriptor overwrite attack, NCC’s researchers say.  The researchers stated that because of this security bug, the metadata and fragment can be forged to point to the same location, which leads to the metadata being overwritten with fragmented data.  An adversary can trigger an arbitrary write by sending a second fragment, “whose offset and length only need to fit within the hole pointed to by the previously controlled metadata.”  The researchers noted that this bug is only exploitable from the local network as it requires crafting a malformed packet which would most likely be dropped during routing.  However, the researchers say this can be effectively leveraged to root Linux-based embedded devices locally.  The second vulnerability, CVE-2022-30552 (CVSS score of 7.1), is a buffer overflow that could lead to a denial of service (DoS).  The second vulnerability can be exploited by crafting a malformed packet that has a specific value lower than the minimum accepted total length, which would result in the called function attempting to make a copy of a greater size than the buffer can withhold.  The researchers informed the U-Boot maintainers of the vulnerabilities on May 18, and fixes are in the works.  

SecurityWeek reports: "Critical U-Boot Vulnerability Allows Rooting of Embedded Systems"