Security News > 2022 > June > Unpatched Critical Flaws Disclosed in U-Boot Bootloader for Embedded Devices

Unpatched Critical Flaws Disclosed in U-Boot Bootloader for Embedded Devices
2022-06-06 07:04

Cybersecurity researchers have disclosed two unpatched security vulnerabilities in the open-source U-Boot boot loader.

The issues, which were uncovered in the IP defragmentation algorithm implemented in U-Boot by NCC Group, could be abused to achieve arbitrary out-of-bounds write and denial-of-service.

U-Boot is a boot loader used in Linux-based embedded systems such as ChromeOS as well as ebook readers such as Amazon Kindle and Kobo eReader.

CVE-2022-30790 - Hole Descriptor overwrite in U-Boot IP packet defragmentation leads to an arbitrary out-of-bounds write primitive.

CVE-2022-30552 - Large buffer overflow leads to DoS in U-Boot IP packet defragmentation code.

The shortcomings are expected to be addressed by U-boot maintainers in an upcoming patch, following which users are recommended to update to the latest version.


News URL

https://thehackernews.com/2022/06/unpatched-critical-flaws-disclosed-in-u.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-06-08 CVE-2022-30790 Out-of-bounds Write vulnerability in Denx U-Boot 2022.01
Das U-Boot 2022.01 has a Buffer Overflow, a different issue than CVE-2022-30552.
local
low complexity
denx CWE-787
7.2
7.2
2022-06-08 CVE-2022-30552 Classic Buffer Overflow vulnerability in Denx U-Boot 2022.01
Das U-Boot 2022.01 has a Buffer Overflow.
local
low complexity
denx CWE-120
2.1
2.1