Cybersecurity researchers have disclosed two unpatched safety vulnerabilities within the open-source U-Boot boot loader.
The problems, which have been uncovered within the IP defragmentation algorithm applied in U-Boot by NCC Group, could possibly be abused to attain arbitrary out-of-bounds write and denial-of-service (DoS).
U-Boot is a boot loader utilized in Linux-based embedded programs equivalent to ChromeOS in addition to e book readers equivalent to Amazon Kindle and Kobo eReader.
The problems are summarized under –
- CVE-2022-30790 (CVSS rating: 9.6) – Gap Descriptor overwrite in U-Boot IP packet defragmentation results in an arbitrary out-of-bounds write primitive.
- CVE-2022-30552 (CVSS rating: 7.1) – Giant buffer overflow results in DoS in U-Boot IP packet defragmentation code
It is value noting that each the issues are exploitable solely from the native community. However doing so can allow an attacker to root the units and result in a DoS by crafting a malformed packet.
The shortcomings are anticipated to be addressed by U-boot maintainers in an upcoming patch, following which customers are beneficial to replace to the newest model.
