Das U-Boot through 2020.01 allows attackers to bypass verified boot restrictions and subsequently boot arbitrary images by providing a crafted FIT image to a system configured to boot the default configuration.

Das U-Boot through 2020.01 allows attackers to bypass verified boot restrictions and subsequently boot arbitrary images by providing a crafted FIT image to a system configured to boot the default configuration.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Das U-Boot through 2020.01 allows attackers to bypass verified boot restrictions and subsequently boot     arbitrary images by providing a crafted FIT image to a system configured to boot the default     configuration. (CVE-2020-10648)

Note that Nessus relies on the presence of the package as reported by the vendor.

This update for u-boot fixes the following issues :

Fix network boot on Raspberry Pi 3 B+ (bsc#1098649)

Fix GOP pixel format (bsc#1098447)

Fix SD writes on Raspberry Pi

Enable a few more armv7 boards to boot with EFI

Fix potentially miscompiled runtime service calls

Fix CVE-2019-14192 (bsc#1143777), CVE-2019-14193 (bsc#1143817), CVE-2019-14199 (bsc#1143824), CVE-2019-14197 (bsc#1143821), CVE-2019-14200 (bsc#1143825), CVE-2019-14201 (bsc#1143827), CVE-2019-14202 (bsc#1143828), CVE-2019-14203 (bsc#1143830), CVE-2019-14204 (bsc#1143831), CVE-2019-14194 (bsc#1143818), CVE-2019-14198 (bsc#1143823), CVE-2019-14195 (bsc#1143819), CVE-2019-14196 (bsc#1143820), CVE-2019-13103 (bsc#1143463), CVE-2020-8432 (bsc#1162198), CVE-2019-11059 (bsc#1134853), CVE-2019-11690 (bsc#1134157) and CVE-2020-10648 (bsc#1167209)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for u-boot fixes the following issues :

CVE-2019-14192 (bsc#1143777), CVE-2019-14193 (bsc#1143817), CVE-2019-14199 (bsc#1143824), CVE-2019-14197 (bsc#1143821), CVE-2019-14200 (bsc#1143825), CVE-2019-14201 (bsc#1143827), CVE-2019-14202 (bsc#1143828), CVE-2019-14203 (bsc#1143830), CVE-2019-14204 (bsc#1143831), CVE-2019-14194 (bsc#1143818), CVE-2019-14198 (bsc#1143823), CVE-2019-14195 (bsc#1143819), CVE-2019-14196 (bsc#1143820), CVE-2019-13103 (bsc#1143463), CVE-2020-8432 (bsc#1162198), CVE-2019-11059 (bsc#1134853), CVE-2019-11690 (bsc#1134157) and CVE-2020-10648 (bsc#1167209)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for u-boot fixes the following issues :

CVE-2020-8432: Fixed a double free in the cmd/gpt.c do_rename_gpt_parts() function, which allowed an attacker to execute arbitrary code (bsc#1162198)

CVE-2020-10648: Fixed improper signature verification during verified boot (bsc#1167209).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for u-boot fixes the following issues :

CVE-2019-14192 (bsc#1143777), CVE-2019-14193 (bsc#1143817), CVE-2019-14199 (bsc#1143824), CVE-2019-14197 (bsc#1143821), CVE-2019-14200 (bsc#1143825), CVE-2019-14201 (bsc#1143827), CVE-2019-14202 (bsc#1143828), CVE-2019-14203 (bsc#1143830), CVE-2019-14204 (bsc#1143831), CVE-2019-14194 (bsc#1143818), CVE-2019-14198 (bsc#1143823), CVE-2019-14195 (bsc#1143819), CVE-2019-14196 (bsc#1143820), CVE-2019-13103 (bsc#1143463), CVE-2020-8432 (bsc#1162198), CVE-2019-11059 (bsc#1134853), CVE-2019-11690 (bsc#1134157) and CVE-2020-10648 (bsc#1167209)

This update was imported from the SUSE:SLE-15-SP1:Update update project.

This update for u-boot fixes the following issues :

  - CVE-2020-8432: Fixed a double free in the cmd/gpt.c     do_rename_gpt_parts() function, which allowed an     attacker to execute arbitrary code (bsc#1162198) 

  - CVE-2020-10648: Fixed improper signature verification     during verified boot (bsc#1167209).

This update was imported from the SUSE:SLE-15-SP2:Update update project.

ID	Name	Product	Family	Severity
505466	Siemens RuggedCom Rox Improper Input Validation (CVE-2020-10648)	Tenable OT Security	Tenable.ot	high
258226	Linux Distros Unpatched Vulnerability : CVE-2020-10648	Nessus	Misc.	high
143885	SUSE SLES15 Security Update : u-boot (SUSE-SU-2020:3283-1)	Nessus	SuSE Local Security Checks	critical
143727	SUSE SLED15 / SLES15 Security Update : u-boot (SUSE-SU-2020:3282-1)	Nessus	SuSE Local Security Checks	critical
143689	SUSE SLED15 / SLES15 Security Update : u-boot (SUSE-SU-2020:3161-1)	Nessus	SuSE Local Security Checks	critical
142922	openSUSE Security Update : u-boot (openSUSE-2020-1930)	Nessus	SuSE Local Security Checks	critical
142615	openSUSE Security Update : u-boot (openSUSE-2020-1869)	Nessus	SuSE Local Security Checks	critical

Detections

Analytics

CVE-2020-10648

high

Tenable Plugins

high

high

critical

critical

critical

critical

critical