Bootloader U-Boot: Vulnerabilities allow bypassing the chain of trust
The Universal Boot Loader U-Boot is affected by vulnerabilities that allow attackers to inject arbitrary code.
(Image: vectorfusionart/Shutterstock.com)
IT security researchers have discovered several security vulnerabilities in the Universal Boot Manager U-Boot. They allow attackers to circumvent the chain of trust and inject and execute arbitrary code. Updated software is available to patch the vulnerabilities. U-Boot is used in particular in Linux-based embedded systems, such as Android devices, but also in e-book readers.
The discoverers list the vulnerabilities in an email to the OSS security mailing list. A total of six security leaks were detected. They allow attackers with the ability to modify ext4 or SquashFS file system structures to exploit several problems in memory management. “On systems that rely on a verified boot process, these vulnerabilities allow attackers to bypass the chain of trust and execute their code,” explain the discoverers. One of the vulnerabilities (CVE-2024-57258) also enables this with subsystems apart from ext4 or SquashFS.
U-Boot: Update plugs security holes
The security vulnerabilities affect U-Boot bootloaders up to and including version 2024.10. U-Boot 2025.01-rc1 is currently available as a newer version that fixes these vulnerabilities.
Videos by heise
The updated sources can be found in the U-Boot project repository. Projects that rely on the U-Boot bootloader should soon offer updated bootloaders. Those affected should install these as soon as possible.
The vulnerabilities are as follows:
- Heap corruption in U-Boot's SquashFS directory listing function CVE-2024-57259, CVSS 7.1, risk “high”
- Multiple integer overflows in U-Boot's memory allocator CVE-2024-57258, CVSS 7.1, high
- Integer overflow in U-Boot's ext4 symlink resolution function CVE-2024-57256, CVSS 7.1, high
- Integer overflow in U-Boot's SquashFS symlink resolution function CVE-2024-57255, CVSS 7.1, high
- Integer overflow in U-Boot's SquashFS symlink size calculation function CVE-2024-57254, CVSS 7.1, high
- Stack overflow in U-Boot's SquashFS symlink resolution function CVE-2024-57257, CVSS 2.0, low
Vulnerabilities in U-Boot were last reported around mid-2022. These were even classified as a critical risk and allowed malicious actors to inject malicious code.
(dmk)
