SB2023120629 - Multiple vulnerabilities in Buildroot

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2023120629

SB2023120629 - Multiple vulnerabilities in Buildroot

Published: December 6, 2023

Security Bulletin ID SB2023120629
CSH Severity
High
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 vulnerabilities.


1) Download of code without integrity check (CVE-ID: CVE-2023-45842)

The vulnerability allows a remote attacker to compromise the affected system

The vulnerability exists due to software does not perform software integrity check when downloading updates within the package hash checking functionality in the mxsldr function. A remote attacker with ability to perform man-in-the-middle (MitM) attack can supply a malicious software image and gain full control over the affected system after a successful software update.


2) Download of code without integrity check (CVE-ID: CVE-2023-45839)

The vulnerability allows a remote attacker to compromise the affected system

The vulnerability exists due to software does not perform software integrity check when downloading updates within the package hash checking functionality in the aufs-util function. A remote attacker with ability to perform man-in-the-middle (MitM) attack can supply a malicious software image and gain full control over the affected system after a successful software update.


3) Download of code without integrity check (CVE-ID: CVE-2023-45838)

The vulnerability allows a remote attacker to compromise the affected system

The vulnerability exists due to software does not perform software integrity check when downloading updates within the package hash checking functionality in the aufs function. A remote attacker with ability to perform man-in-the-middle (MitM) attack can supply a malicious software image and gain full control over the affected system after a successful software update.


4) Download of code without integrity check (CVE-ID: CVE-2023-45840)

The vulnerability allows a remote attacker to compromise the affected system

The vulnerability exists due to software does not perform software integrity check when downloading updates within the package hash checking functionality in the riscv64-elf-toolchain function. A remote attacker with ability to perform man-in-the-middle (MitM) attack can supply a malicious software image and gain full control over the affected system after a successful software update.


5) Download of code without integrity check (CVE-ID: CVE-2023-45841)

The vulnerability allows a remote attacker to compromise the affected system

The vulnerability exists due to software does not perform software integrity check when downloading updates within the package hash checking functionality in the versal-firmware function. A remote attacker with ability to perform man-in-the-middle (MitM) attack can supply a malicious software image and gain full control over the affected system after a successful software update.


6) Download of code without integrity check (CVE-ID: CVE-2023-43608)

The vulnerability allows a remote attacker to compromise the affected system

The vulnerability exists due to software does not perform software integrity check when downloading updates within the BR_NO_CHECK_HASH_FOR functionality. A remote attacker with ability to perform man-in-the-middle (MitM) attack can supply a malicious software image and execute arbitrary commands on the system.


Remediation

Install update from vendor's website.

References