Talos: U-Boot Verified Boot issues with CUJO

[…]Device-local verified boot bypass (persistence methods): CUJO uses Das U-Boot’s “Verified Boot,” an open-source primary boot loader that aims to protect the boot process from unauthorized modifications, and as a consequence, at avoiding a persistent compromise of the device. Moreover, the first 16MB of CUJO’s eMMC have been permanently write-protected, so that it is not possible, even for the manufacturer, to modify the system’s bootloaders. We identified two vulnerabilities that bypass these protections. We identified an issue in Das U-Boot, affecting versions 2013.07-rc1 to 2014.07-rc2 (inclusive). TALOS-2018-0633 shows that U-Boot FIT images’ signatures are not enforced, since it is still possible to boot from legacy unsigned images. This behavior can be exploited by simply replacing a signed FIT image with a legacy (and thus unsigned) image. CUJO uses the OCTEON SDK, which in turn uses U-Boot version 2013.07, so they are both vulnerable to this issue. Because of this, and since products have no possibility to use the impacted U-Boot versions without avoiding the issue, this CVE has been assigned to U-Boot. As previously stated, since the U-Boot bootloader is unmodifiable, TALOS-2018-0633 cannot be fixed in CUJO. Note, however, that, in isolation, this is less severe of an issue. See our discussion below for more details. TALOS-2018-0634 describes an additional way to bypass the secure boot process. By modifying the `dhcpd.conf` file, it is possible to make the DHCP server execute shell commands. Since this file persists across reboots, it is possible to execute arbitrary commands as root at each boot, effectively compromising the system’s integrity.[…]



Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s