Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2018-1000205 |
CWE-ID | CWE-20 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
U-Boot Client/Desktop applications / Other client software |
Vendor | DENX |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
EUVDB-ID: #VU37003
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-1000205
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
U-Boot contains a CWE-20: Improper Input Validation vulnerability in Verified boot signature validation that can result in Bypass verified boot. This attack appear to be exploitable via Specially crafted FIT image and special device memory functionality.
MitigationInstall update from vendor's website.
Vulnerable software versionsU-Boot: All versions
External linkshttp://lists.denx.de/pipermail/u-boot/2018-June/330454.html
http://lists.denx.de/pipermail/u-boot/2018-June/330898.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.