Vulnerability Management

Six U-Boot vulnerabilities could allow stealthy firmware attacks

Cybersecurity Alert Critical System Vulnerability Detected

Six vulnerabilities have been discovered in the widely used U-Boot bootloader that could allow attackers to execute malicious code during device boot, potentially enabling stealthy firmware attacks that compromise security protections and install persistent malware, according to a recent report by Bleeping Computer.

The vulnerabilities, found in U-Boot's FIT signature verification code, range from denial of service to arbitrary code execution. Two flaws could allow attackers to execute malicious code before the operating system loads, enabling them to disable security features or install persistent malware. The remaining four can be exploited to crash vulnerable devices. These flaws potentially affect over 50 stable releases of the U-Boot project and numerous downstream vendor forks. Exploitation does not always require physical access; attackers with compromised management interfaces could upload malicious firmware.

Binarly has reported the vulnerabilities and submitted patches, which have been accepted into U-Boot's upstream codebase. However, vendors must incorporate these fixes into their firmware updates, meaning older or unsupported devices may never be patched.

Source: Bleeping Computer

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds