U-Boot RCE Vulnerabilities Affecting IoT Devices

July 24, 2019


Reading time

Today, Semmle CSO Fermín J. Serna announced the public disclosure of 13 vulnerabilities in U-Boot, leading to potential Remote Code Execution (RCE) when U-Boot is configured to use networking to fetch data.

This public disclosure comes as a request from the main U-Boot maintainer Tom Rini, along with a temporary patch that Semmle proposed to the U-boot maintainers.

MITRE has issued the following CVEs for the 13 vulnerabilities: CVE-2019-14192, CVE-2019-14193, CVE-2019-14194, CVE-2019-14195, CVE-2019-14196, CVE-2019-14197, CVE-2019-14198, CVE-2019-14199, CVE-2019-14200, CVE-2019-14201, CVE-2019-14202, CVE-2019-14203 and CVE-2019-14204.

Das U-Boot (commonly known as “universal boot loader”) is a popular primary bootloader. It’s widely used in embedded devices to fetch data from different sources and run the next stage code, most commonly (but not limited to) a Linux Kernel. You can find U-Boot on many IoT, Kindle, and ARM ChromeOS devices.

The vulnerabilities were found in U-Boot’s feature that reads the next stage code from NFS. In several places, the code was doing memcpy-s of user-controlled data and length, with insufficient validation.

Severity and mitigation

The vulnerabilities are remotely exploitable when U-Boot is configured to use networking and NFS. We believe this is a common setup during development stages or diskless configurations, but is not widely used at the final consumer devices using U-Boot.

Through these vulnerabilities, an attacker in the same network (or controlling a malicious NFS server) could execute code on the U-Boot powered device. Due to the nature of this vulnerability, exploitation does not seem extremely complicated, although it could be made more challenging by using stack cookies, ASLR, or other memory protection runtime and compile time mitigations.

A temporary (not thoroughly tested) patch has been made available by Semmle, while U-Boot developers release the final patch.

About the discovery

The issues were first discovered by Semmle CSO Fermín J. Serna.

The first vulnerability was found in two very similar occurrences via source code review, and we used Semmle’s LGTM.com and QL to find the others. It is a plain memcpy overflow with an attacker-controlled size coming from the network packet without any validation.

Fermín J. Serna Semmle CSO

Fermín wrote a basic QL query to find variants of this initial issue in three more problematic call sites. With the help of Pavel Avgustinov and Kevin Backhouse, the query was generalized and they finally found thirteen issues: seven different vulnerable call sites with the same memcpy problem, five stack-based buffer overflows, and one extra read out-of-bounds vulnerability.

For technical details about these vulnerabilities, please read Fermín's post.

Disclosure timeline

  • May 15, 2019 - Fermín Serna initially finds two vulnerabilities and writes a QL query that uncovers three more problematic call sites.
  • May 16, 2019 - Pavel Avgustinov brings some QL magic, generalizes the query, and finds some more parsing ip and udp headers.
  • May 23, 2019 - Kevin Backhouse alerts Pavel and Fermín about an oversight regarding a stack-based buffer overflow via nfs_handler.
  • May 23, 2019 - Semmle security team concludes the investigation and contacts maintainers via email.
  • May 24, 2019 - Tom Rini (U-Boot’s master custodian) acknowledges receiving the security report.
  • July 19, 2019 - Tom Rini requests to make this report public at their public mailing list u-boot@lists.denx.de.
  • July 22, 2019 - To avoid a weekend disclosure, Fermin makes the report public at u-boot@lists.denx.de.

Coordinated disclosure

Semmle takes coordinated disclosure very seriously. In accordance with our standard practice, the Security Research Team has collaborated with the U-Boot project maintainers to ensure an effective patch is made available as quickly as possible. For more information about our security team, the research they do, and our disclosure policy, visit semmle.com/security.

About Semmle

We believe security is a shared responsibility. Our mission is to secure all software by bringing the security and development communities together.

Our technology scales any organization's security expertise using QL to quickly explore any codebase to discover new vulnerabilities and all their variants. We empower product security teams to deliver variant analysis results to development teams using LGTM to ship safe code and protect their customers. Together, Semmle's platform enables the security community to collaborate and share their expertise in the field of variant analysis and security research. Our technology is free to use on open source projects using LGTM.com platform. At the time of writing, analysis results for over 130,000 projects are publicly available on LGTM.com.

Security and software engineering teams at Google, Microsoft, NASA, Nasdaq and Uber depend on Semmle to secure their code. Headquartered in San Francisco, Semmle is a privately held company funded by Accel, with additional offices in Oxford, Copenhagen, New York City, Seattle, and Valencia.

Contact information

If you would like to speak to us about this vulnerability, please contact us at security@semmle.com, or reach out on Twitter @Semmle.