CVE-2022-2347

Unchecked Download size in Uboot

Severity Score

7.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

There exists an unchecked length field in UBoot. The U-Boot DFU implementation does not bound the length field in USB DFU download setup packets, and it does not verify that the transfer direction corresponds to the specified command. Consequently, if a physical attacker crafts a USB DFU download setup packet with a `wLength` greater than 4096 bytes, they can write beyond the heap-allocated request buffer.

Se presenta un campo de longitud no comprobado en UBoot. La implementación de U-Boot DFU no vincula el campo de longitud en los paquetes de configuración de descarga de USB DFU, y no verifica que la dirección de transferencia sea correspondida con el comando especificado. En consecuencia, si un atacante físico diseña un paquete de configuración de descarga USB DFU con una "wLength" superior a 4096 bytes, puede escribir más allá del búfer de petición asignado a la pila.

It was discovered that U-Boot incorrectly handled certain USB DFU download setup packets. A local attacker could use this issue to cause U-Boot to crash, resulting in a denial of service, or possibly execute arbitrary code. Nicolas Bidron and Nicolas Guigo discovered that U-Boot incorrectly handled certain fragmented IP packets. A local attacker could use this issue to cause U-Boot to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.

*Credits: N/A

CVSS Scores

Attack Vector

Physical

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

High

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-07-08 CVE Reserved
2022-09-23 CVE Published
2024-09-16 CVE Updated
2024-09-16 First Exploit
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-122: Heap-based Buffer Overflow
CWE-787: Out-of-bounds Write

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC
https://seclists.org/oss-sec/2022/q3/41	2024-09-16

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Denx Search vendor "Denx"		U-boot Search vendor "Denx" for product "U-boot"				>= 2012.10 <= 2022.07 Search vendor "Denx" for product "U-boot" and version " >= 2012.10 <= 2022.07"		-		Affected