Cybersecurity scientists have disclosed two unpatched security vulnerabilities in the open-source U-Boot boot loader.
The issues, which had been uncovered in the IP defragmentation algorithm executed in U-Boot by NCC Team, could be abused to reach arbitrary out-of-bounds create and denial-of-service (DoS).
U-Boot is a boot loader utilized in Linux-centered embedded systems this kind of as ChromeOS as very well as e-book viewers these as Amazon Kindle and Kobo eReader.
The issues are summarized under –
- CVE-2022-30790 (CVSS score: 9.6) – Hole Descriptor overwrite in U-Boot IP packet defragmentation potential customers to an arbitrary out-of-bounds publish primitive.
- CVE-2022-30552 (CVSS score: 7.1) – Large buffer overflow prospects to DoS in U-Boot IP packet defragmentation code
It really is truly worth noting that both the flaws are exploitable only from the local network. But doing so can enable an attacker to root the equipment and guide to a DoS by crafting a malformed packet.
The shortcomings are anticipated to be dealt with by U-boot maintainers in an approaching patch, adhering to which buyers are encouraged to update to the latest model.
Discovered this write-up interesting? Adhere to THN on Facebook, Twitter and LinkedIn to browse far more unique material we put up.
Some pieces of this write-up are sourced from: