Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS : U-Boot vulnerabilities (USN-5764-1)

critical Nessus Plugin ID 168465

Synopsis

The remote Ubuntu host is missing one or more security updates.

Description

The remote Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS / 22.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5764-1 advisory.

- There exists an unchecked length field in UBoot. The U-Boot DFU implementation does not bound the length field in USB DFU download setup packets, and it does not verify that the transfer direction corresponds to the specified command. Consequently, if a physical attacker crafts a USB DFU download setup packet with a `wLength` greater than 4096 bytes, they can write beyond the heap-allocated request buffer.
(CVE-2022-2347)

- Das U-Boot 2022.01 has a Buffer Overflow. (CVE-2022-30552)

- nfs_lookup_reply in net/nfs.c in Das U-Boot through 2022.04 (and through 2022.07-rc2) has an unbounded memcpy with a failed length check, leading to a buffer overflow. NOTE: this issue exists because of an incorrect fix for CVE-2019-14196. (CVE-2022-30767)

- Das U-Boot 2022.01 has a Buffer Overflow, a different issue than CVE-2022-30552. (CVE-2022-30790)

- Das U-Boot from v2020.10 to v2022.07-rc3 was discovered to contain an out-of-bounds write via the function sqfs_readdir(). (CVE-2022-33103)

- squashfs filesystem implementation of U-Boot versions from v2020.10-rc2 to v2022.07-rc5 contains a heap- based buffer overflow vulnerability due to a defect in the metadata reading process. Loading a specially crafted squashfs image may lead to a denial-of-service (DoS) condition or arbitrary code execution.
(CVE-2022-33967)

- In Das U-Boot through 2022.07-rc5, an integer signedness error and resultant stack-based buffer overflow in the i2c md command enables the corruption of the return address pointer of the do_i2c_md function.
(CVE-2022-34835)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://ubuntu.com/security/notices/USN-5764-1

Plugin Details

Severity: Critical

ID: 168465

File Name: ubuntu_USN-5764-1.nasl

Version: 1.5

Type: local

Agent: unix

Published: 12/7/2022

Updated: 10/16/2023

Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.3

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2022-34835

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:canonical:ubuntu_linux:22.04:-:lts, p-cpe:/a:canonical:ubuntu_linux:u-boot-tegra, p-cpe:/a:canonical:ubuntu_linux:u-boot-exynos, p-cpe:/a:canonical:ubuntu_linux:u-boot-mvebu, p-cpe:/a:canonical:ubuntu_linux:u-boot, p-cpe:/a:canonical:ubuntu_linux:u-boot-qemu, p-cpe:/a:canonical:ubuntu_linux:u-boot-qcom, p-cpe:/a:canonical:ubuntu_linux:u-boot-rpi, p-cpe:/a:canonical:ubuntu_linux:u-boot-sunxi, p-cpe:/a:canonical:ubuntu_linux:u-boot-microchip, p-cpe:/a:canonical:ubuntu_linux:u-boot-rockchip, cpe:/o:canonical:ubuntu_linux:18.04:-:lts, p-cpe:/a:canonical:ubuntu_linux:u-boot-sifive, p-cpe:/a:canonical:ubuntu_linux:u-boot-tools, p-cpe:/a:canonical:ubuntu_linux:u-boot-imx, cpe:/o:canonical:ubuntu_linux:20.04:-:lts, p-cpe:/a:canonical:ubuntu_linux:u-boot-amlogic

Required KB Items: Host/cpu, Host/Ubuntu, Host/Ubuntu/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/6/2022

Vulnerability Publication Date: 5/16/2022

Reference Information

CVE: CVE-2022-2347, CVE-2022-30552, CVE-2022-30767, CVE-2022-30790, CVE-2022-33103, CVE-2022-33967, CVE-2022-34835

USN: 5764-1