Security News > 2022 > June > Unpatched Critical Flaws Disclosed in U-Boot Bootloader for Embedded Devices
Cybersecurity researchers have disclosed two unpatched security vulnerabilities in the open-source U-Boot boot loader.
The issues, which were uncovered in the IP defragmentation algorithm implemented in U-Boot by NCC Group, could be abused to achieve arbitrary out-of-bounds write and denial-of-service.
U-Boot is a boot loader used in Linux-based embedded systems such as ChromeOS as well as ebook readers such as Amazon Kindle and Kobo eReader.
CVE-2022-30790 - Hole Descriptor overwrite in U-Boot IP packet defragmentation leads to an arbitrary out-of-bounds write primitive.
CVE-2022-30552 - Large buffer overflow leads to DoS in U-Boot IP packet defragmentation code.
The shortcomings are expected to be addressed by U-boot maintainers in an upcoming patch, following which users are recommended to update to the latest version.
News URL
https://thehackernews.com/2022/06/unpatched-critical-flaws-disclosed-in-u.html
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-06-08 | CVE-2022-30790 | Out-of-bounds Write vulnerability in Denx U-Boot 2022.01 Das U-Boot 2022.01 has a Buffer Overflow, a different issue than CVE-2022-30552. | 7.2 |
2022-06-08 | CVE-2022-30552 | Classic Buffer Overflow vulnerability in Denx U-Boot 2022.01 Das U-Boot 2022.01 has a Buffer Overflow. | 2.1 |