CVE-2020-10648 - log back

CVE-2020-10648 edited at 19 Mar 2020 09:22:14
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Local
Type
- Unknown
+ Insufficient validation
Description
+ An insufficient validation issue has been found in U-Boot versions 2018.03 and 2020.0. Versions prior to 2018.03 may be affected as well. An attacker having a properly signed FIT image is able to craft arbitrary FIT images that would pass signature validation, resulting in booting and execution of untrusted code. The exploitation relies on the fact that the crafted configuration will be chosen to be booted. This may occur, for example, when the attacker is able to modify the default property of the configurations node and the setup does not explicitly choose to boot a specific configuration.
References
+ https://www.openwall.com/lists/oss-security/2020/03/18/5
+ https://labs.f-secure.com/advisories/das-u-boot-verified-boot-bypass/
+ https://lists.denx.de/pipermail/u-boot/2020-March/403409.html
Notes
CVE-2020-10648 created at 19 Mar 2020 09:19:44