Allele Security Alert
ASA-2018-00021
Identifier(s)
ASA-2018-00021, CVE-2018-18440
Title
Insufficient boundary checks in filesystem image load
Vendor(s)
DENX
Product(s)
U-Boot
Affected version(s)
All released U-Boot versions
Fixed version(s)
Unknown
Proof of concept
Unknown
Description
The U-Boot bootloader supports kernel loading from a variety of filesystem formats, through the `load` command or its filesystem specific equivalents (e.g. `ext2load`, `ext4load`, `fatload`, etc.)
These commands do not protect system memory from being overwritten when loading files of a length that exceeds the boundaries of the relocated U-Boot memory region, filled with the loaded file starting from the passed `addr` variable.
Therefore an excessively large boot image, saved on the filesystem, can be crafted to overwrite all U-Boot static and runtime memory segments, and in general all device addressable memory starting from the `addr` load address argument.
The memory overwrite can directly lead to arbitrary code execution, fully controlled by the contents of the loaded image.
When verified boot is implemented, the issue allows to bypass its intended validation as the memory overwrite happens before any validation can take place.
Reference(s)
Security advisory: U-Boot verified boot bypass
https://github.com/inversepath/usbarmory/blob/master/software/secure_boot/Security_Advisory-Ref_IPVR2018-0001.txt
CVE-2018-18439, CVE-2018-18440 – U-Boot verified boot bypass vulnerabilities
https://seclists.org/oss-sec/2018/q4/125
CVE-2018-18440
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18440
CVE-2018-18440
https://nvd.nist.gov/vuln/detail/CVE-2018-18440
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 1, 2019