Security researchers working with NCC Group reported, in conformance with appropriate security disclosure protocols, the existence of two unpatched vulnerabilities in the U-Boot bootloader. CVE-2022-30790, leading to root access on the device and arbitrary code execution, and CVE-2022-30552, leading to Denial-of-Service attacks (DoS), were found within the IP defragmentation algorithm implemented within U-Boot. U-Boot is an open-source boot loading solution found within a large number of Linux embedded systems such as ChromeOS and Kindle devices. NCC Group has said it will not release the Proof of Concept (PoC) code until the appropriate patches are made available by the U-Boot maintainers.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased