Main Vulnerability Database Vulnerabilities #VU37003

Input validation error in Universal Boot Loader (U-Boot) - CVE-2018-1000205

Published: June 26, 2018 / Updated: August 8, 2020

Vulnerability identifier: #VU37003

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2018-1000205

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: DENX

Affected software:
Universal Boot Loader (U-Boot)

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

U-Boot contains a CWE-20: Improper Input Validation vulnerability in Verified boot signature validation that can result in Bypass verified boot. This attack appear to be exploitable via Specially crafted FIT image and special device memory functionality.

How to mitigate CVE-2018-1000205

Install update from vendor's website.

Sources

https://lists.denx.de/pipermail/u-boot/2018-June/330454.html
https://lists.denx.de/pipermail/u-boot/2018-June/330898.html

Input validation error in Universal Boot Loader (U-Boot) - CVE-2018-1000205

Detailed vulnerability description

How to mitigate CVE-2018-1000205

Sources

Please verify you're human