Allele Security Alert
ASA-2019-00486
Identifier(s)
ASA-2019-00486, CVE-2019-14199
Title
Unbounded memcpy when parsing a UDP packet due to integer underflow
Vendor(s)
DENX Software Engineering
Product(s)
Das U-Boot
Affected version(s)
Unknown
Fixed version(s)
Unknown
Proof of concept
Unknown
Description
There is an unbounded memcpy when parsing a UDP packet due to a net_process_received_packet() integer underflow during an *udp_packet_handler() call.
Technical details
The function net_process_received_packet() is subject to an integer underflow when using ip->udp_len without validation. Later this field is used in a memcpy() at nc_input_packet() and any udp packet handlers that are set via net_set_udp_handler(DNS, dhcp, …).
#if defined(CONFIG_NETCONSOLE) && !defined(CONFIG_SPL_BUILD)
nc_input_packet((uchar *)ip + IP_UDP_HDR_SIZE,
src_ip,
ntohs(ip->udp_dst),
ntohs(ip->udp_src),
ntohs(ip->udp_len) - UDP_HDR_SIZE); <-- integer underflow
#endif
/*
* IP header OK. Pass the packet to the current handler.
*/
(*udp_packet_handler)((uchar *)ip + IP_UDP_HDR_SIZE,
ntohs(ip->udp_dst),
src_ip,
ntohs(ip->udp_src),
ntohs(ip->udp_len) - UDP_HDR_SIZE); // <- integer underflow
Credits
Fermín Serna, Pavel Avgustinov and Kevin Backhouse
Reference(s)
U-Boot RCE Vulnerabilities Affecting IoT Devices
https://blog.semmle.com/uboot-remote-code-execution-vulnerability/
U-Boot NFS RCE Vulnerabilities (CVE-2019-14192)
https://blog.semmle.com/uboot-rce-nfs-vulnerability/
[U-Boot] Remote code execution vulnerabilities in U-Boot’s NFS and other IP parsing code
https://lists.denx.de/pipermail/u-boot/2019-July/378001.html
CVE-2019-14199
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14199
CVE-2019-14199
https://nvd.nist.gov/vuln/detail/CVE-2019-14199
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: August 11, 2019