Allele Security Alert
ASA-2019-00484
Identifier(s)
ASA-2019-00484, CVE-2019-14197
Title
Read out-of-bound data at nfs_read_reply()
Vendor(s)
DENX Software Engineering
Product(s)
Das U-Boot
Affected version(s)
Unknown
Fixed version(s)
Unknown
Proof of concept
Unknown
Description
There is a read of out-of-bounds data at nfs_read_reply().
Technical details
The function nfs_read_reply() doesn’t check there was enough data in the source buffer, leading to a potential read out-of-bounds access violation.
static int nfs_read_reply(uchar *pkt, unsigned len)
{
struct rpc_t rpc_pkt;
[...]
memcpy(&rpc_pkt.u.data[0], pkt, sizeof(rpc_pkt.u.reply));
An attacker could supply an NFS packet with a read request and with a small packet request sent to the socket.
Credits
Fermín Serna, Pavel Avgustinov and Kevin Backhouse
Reference(s)
U-Boot RCE Vulnerabilities Affecting IoT Devices
https://blog.semmle.com/uboot-remote-code-execution-vulnerability/
U-Boot NFS RCE Vulnerabilities (CVE-2019-14192)
https://blog.semmle.com/uboot-rce-nfs-vulnerability/
[U-Boot] Remote code execution vulnerabilities in U-Boot’s NFS and other IP parsing code
https://lists.denx.de/pipermail/u-boot/2019-July/378001.html
CVE-2019-14197
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14197
CVE-2019-14197
https://nvd.nist.gov/vuln/detail/CVE-2019-14197
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: August 10, 2019