NCC Group experts have found two critical vulnerabilities in the U-Boot bootloader, which is used in embedded Linux-based systems, including ChromeOS and Android, as well as in e-readers such as the Amazon Kindle and Kobo eReader. U-Boot supports a range of architectures, including 68k, ARM, x86, MIPS, Nios, PPC, and more.
The researchers write that problems were found in the IP defragmentation algorithm implemented in U-Boot. Bugs can be used to implement out-of-bounds recording, as well as to provoke a denial of service (DoS).
The first vulnerability, CVE-2022-30790 (9.6 on the CVSS scale), is associated with overwriting the hole descriptor during IP defragmentation, which leads to the fact that metadata and fragments can be changed in such a way as to point to the same place. Because of this, it becomes possible to overwrite metadata with fragmented data, and an attacker has the opportunity to write out-of-bounds.
“This bug can only be exploited on a local network, as it requires the creation of a malicious packet that will most likely be dropped during routing. However, the problem can be effectively used for local rooting of Linux-based embedded devices,” writes the NCC Group.
The second vulnerability, CVE-2022-30552 (CVSS score of 7.1), is a buffer overflow and leads to a denial of service.
The bugs are expected to be fixed by the U-boot developers in an upcoming patch, but so far there are no fixes, but it is emphasized that both vulnerabilities can only be exploited locally.
