CVE-2020-10648 log

Source
Severity Medium
Remote No
Type Insufficient validation
Description
An insufficient validation issue has been found in U-Boot versions 2018.03 and 2020.0. Versions prior to 2018.03 may be affected as well. An attacker having a properly signed FIT image is able to craft arbitrary FIT images that would pass signature validation, resulting in booting and execution of untrusted code. The exploitation relies on the fact that the crafted configuration will be chosen to be booted. This may occur, for example, when the attacker is able to modify the default property of the configurations node and the setup does not explicitly choose to boot a specific configuration.
Group Package Affected Fixed Severity Status Ticket
AVG-1117 uboot-tools 2020.01-1 Medium Vulnerable
References
https://www.openwall.com/lists/oss-security/2020/03/18/5
https://labs.f-secure.com/advisories/das-u-boot-verified-boot-bypass/
https://lists.denx.de/pipermail/u-boot/2020-March/403409.html