CVE-2022-2347
Unchecked Download size in Uboot
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
There exists an unchecked length field in UBoot. The U-Boot DFU implementation does not bound the length field in USB DFU download setup packets, and it does not verify that the transfer direction corresponds to the specified command. Consequently, if a physical attacker crafts a USB DFU download setup packet with a `wLength` greater than 4096 bytes, they can write beyond the heap-allocated request buffer.
Se presenta un campo de longitud no comprobado en UBoot. La implementación de U-Boot DFU no vincula el campo de longitud en los paquetes de configuración de descarga de USB DFU, y no verifica que la dirección de transferencia sea correspondida con el comando especificado. En consecuencia, si un atacante físico diseña un paquete de configuración de descarga USB DFU con una "wLength" superior a 4096 bytes, puede escribir más allá del búfer de petición asignado a la pila.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-07-08 CVE Reserved
- 2022-09-23 CVE Published
- 2024-02-08 EPSS Updated
- 2024-09-16 CVE Updated
- 2024-09-16 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-122: Heap-based Buffer Overflow
- CWE-787: Out-of-bounds Write
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://seclists.org/oss-sec/2022/q3/41 | 2024-09-16 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Denx Search vendor "Denx" | U-boot Search vendor "Denx" for product "U-boot" | >= 2012.10 <= 2022.07 Search vendor "Denx" for product "U-boot" and version " >= 2012.10 <= 2022.07" | - |
Affected
| ||||||