There exists an unchecked length field in UBoot. The U-Boot DFU implementation does not bound the length field in USB DFU download setup packets, and it does not verify that the transfer direction corresponds to the specified command. Consequently, if a physical attacker crafts a USB DFU download setup packet with a `wLength` greater than 4096 bytes, they can write beyond the heap-allocated request buffer.
Se presenta un campo de longitud no comprobado en UBoot. La implementación de U-Boot DFU no vincula el campo de longitud en los paquetes de configuración de descarga de USB DFU, y no verifica que la dirección de transferencia sea correspondida con el comando especificado. En consecuencia, si un atacante físico diseña un paquete de configuración de descarga USB DFU con una "wLength" superior a 4096 bytes, puede escribir más allá del búfer de petición asignado a la pila.
CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
| Attack Vector | PHYSICAL |
|---|---|
| Attack Complexity | HIGH |
| Privileges Required | NONE |
| User Interaction | NONE |
| Scope | CHANGED |
| Confidentiality Impact | HIGH |
| Integrity Impact | HIGH |
| Availability Impact | HIGH |
| Source | Type | Description |
|---|---|---|
| [email protected] | Secondary |
en
CWE-122
|
| [email protected] | Primary |
en
CWE-787
|
| Vendor | Product | Version | Update | Type |
|---|---|---|---|---|
| denx | u-boot | * | <built-in method update of dict object at 0x7b0704c147c0> | Application |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:a:denx:u-boot:*:*:*:*:*:*:*:* |