CVE-2020-10648 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Medium
Remote	No
Type	Insufficient validation
Description	An insufficient validation issue has been found in U-Boot versions 2018.03 and 2020.0. Versions prior to 2018.03 may be affected as well. An attacker having a properly signed FIT image is able to craft arbitrary FIT images that would pass signature validation, resulting in booting and execution of untrusted code. The exploitation relies on the fact that the crafted configuration will be chosen to be booted. This may occur, for example, when the attacker is able to modify the default property of the configurations node and the setup does not explicitly choose to boot a specific configuration.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-1117	uboot-tools	2020.01-1	2020.04-1	Medium	Fixed

References
https://www.openwall.com/lists/oss-security/2020/03/18/5 https://labs.f-secure.com/advisories/das-u-boot-verified-boot-bypass/ https://lists.denx.de/pipermail/u-boot/2020-March/403409.html