Researchers have disclosed two new critical vulnerabilities in U-Boot, the most popular bootloader for embedded devices. The security holes could allow an attacker to take complete control of a vulnerable system.
U-Boot is used on millions of devices, including routers, modems, IoT gadgets, and video game consoles. The bootloader is responsible for initializing the hardware and starting the operating system.
What is U-boot Bootloader?
U-boot Bootloader is a well-known boot loader in Linux-based embedded systems, released as a GNU GPL version2 license. This open-source boot loader supports various microprocessors such as ARM, ARV32, MIPS, x86, MicroBlaze, PPC, Nios, etc. This bootloader supports different booting techniques that rescue a system in a fallback situation.
Discovering Vulnerabilities in U-boot Bootloader
Security researchers of the NCC group discovered two unpatched security vulnerabilities with critical severity levels. They uncovered the problem within the IP defragmentation algorithm running in the U-Boot Bootloader (U-boot/net/net.c lines 915 and 1011). IP fragmentation is a process of the internet protocol (IP) that separates data packets into small pieces or fragments. These vulnerabilities are associated with two technical advisories associated with two CVEs, as reported by the NCC cybersecurity research group.
"Hole Descriptor Overwrite in U-Boot IP Packet Defragmentation Leads to Arbitrary Out of Bounds Write Primitive (CVE-2022-30790) with CVSS rating: 9.6.
Massive buffer overflow leads to DoS in U-Boot IP Packet Defragmentation Code (CVE-2022-30552) with CVSS rating: 7.1.
Arbitrary out of bounds Write and Buffer overflow for Denial of Service (DoS) are two well-known vulnerabilities that can cause severe damage to a system leveraging U-boot Bootloader. Modern systems such as e-book reading giant Amazon Kindle, Kobo eReader, and devices such as ChromeOS use this bootloader in their embedded system. Security researchers should also consider that the two disclosed vulnerabilities get exploited only from a local network.
May 18, 2022: NCC security group send the first email to U-boot maintainers, announcing the identification of two vulnerabilities.
May 18, 2022: NCC security group posts a complete write-up of the two exposures, explaining the attack and threats on their public mailing list.
May 25, 2022: The maintainers implement a fix on the two findings.
May 26, 2022: U-Boot maintainers propose a patch to fix the two CVEs (CVE-2022-30790 and CVE-2022-30552) through the mailing list.
May 31, 2022: U-boot maintainers and NCC Group jointly agree to publish the advisories before patch deployment.
What damage can attackers cause by exploiting these vulnerabilities?
With the help of this vulnerability, attackers can root any vulnerable device or embedded system or craft a mal-formatted data packet from the local network. Attackers can also launch a DoS attack through that crafted mal-formatted data packet. The U-boot maintainers and community members will hopefully address these vulnerabilities in their upcoming patches.
There are some preventative measures that users can take to mitigate U-boot vulnerabilities:
Enterprises should identify the devices and embedded systems using U-boot Bootloader. Once identified, they should report it to the U-boot management team and the organization's patch management support team
U-boot Bootloader support community should patch these two vulnerabilities immediately
Since the code of U-boot Bootloader is open-source, developers can write a separate module that will ignore the out-of-bound write privilege
Consider penetration testing to ensure all vulnerabilities are identified
U-boot Bootloader is a critical piece of software for many devices and embedded systems. The recent disclosure of two unpatched vulnerabilities highlights the importance of keeping this software up to date. Enterprises should take preventative measures to mitigate these vulnerabilities, such as identifying devices and embedded systems using U-boot Bootloader, patching immediately, and writing separate code to ignore out-of-bound write privilege. Penetration testing can also ensure that all vulnerabilities are identified.