ASA-2018-00022 – U-Boot: Insufficient boundary checks in network image boot


Allele Security Alert

ASA-2018-00022

Identifier(s)

ASA-2018-00022, CVE-2018-18439

Title

Insufficient boundary checks in network image boot

Vendor(s)

DENX

Product(s)

U-Boot

Affected version(s)

All released U-Boot versions

Fixed version(s)

Unknown

Proof of concept

Unknown

Description

The U-Boot bootloader supports kernel loading from a variety of network sources, such as TFTP via the `tftpboot` command.

This command does not protect system memory from being overwritten when loading files of a length that exceeds the boundaries of the relocated U-Boot memory region, filled with the loaded file starting from the passed `loadAddr` variable.

Therefore an excessively large boot image, served over TFTP, can be crafted to overwrite all U-Boot static and runtime memory segments, and in general all device addressable memory starting from the `loadAddr` load address argument.

The memory overwrite can directly lead to arbitrary code execution, fully controlled by the contents of the loaded image.

When verified boot is implemented, the issue allows to bypass its intended validation as the memory overwrite happens before any validation can take place.

The issue can be exploited by several means:

– An excessively large crafted boot image file is parsed by the `tftp_handler` function which lacks any size checks, allowing the memory overwrite.

– A malicious server can manipulate TFTP packet sequence numbers to store downloaded file chunks at arbitrary memory locations, given that the sequence number is directly used by the `tftp_handler` function to calculate the destination address for downloaded file chunks.

Additionally the `store_block` function, used to store downloaded file chunks in memory, when invoked by `tftp_handler` with a `tftp_cur_block` value of 0, triggers an unchecked integer underflow.

This allows to potentially erase memory located before the `loadAddr` when a packet is sent with a null, following at least one valid packet.

Reference(s)

Security advisory: U-Boot verified boot bypass
https://github.com/inversepath/usbarmory/blob/master/software/secure_boot/Security_Advisory-Ref_IPVR2018-0001.txt

CVE-2018-18439, CVE-2018-18440 – U-Boot verified boot bypass vulnerabilities
https://seclists.org/oss-sec/2018/q4/125

CVE-2018-18439
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18439

CVE-2018-18439
https://nvd.nist.gov/vuln/detail/CVE-2018-18439

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 1, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.