Multiple vulnerabilities have been found in
Das U-Boot, a universal bootloader commonly used in embedded devices like Amazon Kindles, ARM Chromebooks and networking hardware. The bugs could allow attackers to gain full control of an impacted device’s CPU and modify anything they choose.
Researchers at ForAllSecure found the flaws in U-Boot’s file system drivers. They include a recursive stack overflow in the DOS partition parser, a pair of buffer-overflows in ext4 and a double-free memory corruption flaw in ext4. They open the door to denial-of-service attacks, device takeover and code-execution.
There are both local and remote paths to exploitation for these flaws. If a vulnerable device is configured to boot from external media, such as an SD card or USB drive, attackers with physical access could subvert the normal boot process of the device and control the loading of the operating system, giving them substantial control over the device.
If the device is configured to network boot, remote attackers could use an initial method to compromise the corporate or Wi-Fi network that a target device is attached to (including social-engineering malware onto a victim’s endpoint or exploiting known vulnerabilities), and from there attacking the U-Boot device from that local network location.
“The most obvious route for exploitation requires physical access, and could either cause denial of service (possible device bricking) or could subvert the boot process for a device or possibly bypass trusted boot,” Maxwell Koo, ForAllSecure analysis engineer, told Threatpost in an interview. “If device is configured to allow pxe boot and is configured with CONFIG_CMD_FS_GENERIC, there is a possible network avenue of exploitation via CVE-2019-13104 through -13106, with the same impact.” He added, “I’d say it would take moderate-to-high expertise to develop an initial exploit for a given device.”
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
