Technical Advisory – U-Boot – Unchecked Download Size and Direction in USB DFU (CVE-2022-2347)

Vendor: DENX Software Engineering Vendor URL: https://www.denx.de/wiki/U-Boot Versions affected: v2012.10-rc1 to v2023.01-rc1 Systems Affected: All systems with CONFIG_DFU_OVER_USB or CONFIG_SPL_DFU enabled Author: <Sultan Qasim Khan> <sultan.qasimkhan[at]nccgroup[dot]com> CVE Identifier: CVE-2022-2347 Risk: High 7.1 (CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) Summary U-Boot is a popular and feature-rich bootloader for embedded systems. It includes optional support for the USB Device Firmware Update (DFU) … Continue reading Technical Advisory – U-Boot – Unchecked Download Size and Direction in USB DFU (CVE-2022-2347)

Technical Advisory – NXP i.MX SDP_READ_DISABLE Fuse Bypass (CVE-2022-45163)

Vendor: NXP Semiconductors Vendor URL: https://www.nxp.com Affected Devices: i.MX RT 101x, i.MX RT102x, i.MX RT1050/6x, i.MX 6 Family, i.MX 7 Family, i.MX8M Quad/Mini, Vybrid Author: Jon Szymaniak <jon.szymaniak(at)nccgroup.com> CVE: CVE-2022-45163 Advisory URL: https://community.nxp.com/t5/Known-Limitations-and-Guidelines/SDP-Read-Bypass-CVE-2022-45163/ta-p/1553565 Risk: 5.3 (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), 2.6 if C:L, 0.0 if C:N Summary NXP System-on-a-Chip (SoC) fuse configurations with the SDP READ_REGISTER operation disabled (SDP_READ_DISABLE=1) … Continue reading Technical Advisory – NXP i.MX SDP_READ_DISABLE Fuse Bypass (CVE-2022-45163)

Technical Advisory – OpenJDK – Weak Parsing Logic in java.net.InetAddress and Related Classes

Vendor: OpenJDK Project Vendor URL: https://openjdk.java.net Versions affected: 8-17+ (and likely earlier versions) Systems Affected: All supported systems Author: Jeff Dileo <jeff.dileo[at]nccgroup[dot]com> Advisory URL / CVE Identifier: TBD Risk: Low (implicit data validation bypass) Summary The private static InetAddress::getAllByName(String,InetAddress) method is used internally and by the public static InetAddress::getAllByName(String) to resolve host or IP strings … Continue reading Technical Advisory – OpenJDK – Weak Parsing Logic in java.net.InetAddress and Related Classes

There’s Another Hole In Your SoC: Unisoc ROM Vulnerabilities

UNISOC (formerly Spreadtrum) is a rapidly growing semiconductor company that is nowadays focused on the Android entry-level smartphone market. While still a rare sight in the west, the company has nevertheless achieved impressive growth claiming 11% of the global smartphone application processor market, according to Counterpoint Research. Recently, it's been making its way into some … Continue reading There’s Another Hole In Your SoC: Unisoc ROM Vulnerabilities

Technical Advisory – ExpressLRS vulnerabilities allow for hijack of control link

Vendor: ExpressLRS Vendor URL: https://expresslrs.org Versions affected: 1.x, 2.x Author: Richard Appleby Severity: Medium 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Summary ExpressLRS is a high-performance open source radio control link. It aims to provide a low latency radio control link while also achieving maximum range. It runs on a wide variety of hardware in both 900 Mhz and 2.4 … Continue reading Technical Advisory – ExpressLRS vulnerabilities allow for hijack of control link

Technical Advisory – Multiple Vulnerabilities in U-Boot (CVE-2022-30790, CVE-2022-30552)

By Nicolas Bidron, and Nicolas Guigo. U-boot is a popular boot loader for embedded systems with implementations for a large number of architectures and prominent in most Linux based embedded systems such as ChromeOS and Android Devices. Two vulnerabilities were uncovered in the IP Defragmentation algorithm implemented in U-Boot, with the associated technical advisories below: … Continue reading Technical Advisory – Multiple Vulnerabilities in U-Boot (CVE-2022-30790, CVE-2022-30552)

Technical Advisory – Kwikset/Weiser BLE Proximity Authentication in Kevo Smart Locks Vulnerable to Relay Attacks

Vendor: Kwikset/Weiser (Spectrum Brands) Vendor URLs: https://www.kwikset.com/kevo/smart-lock, https://www.weiserlock.com/en/kevo/default Versions Affected: All versions. Attack tested on Kevo Generation 2 hardware with firmware v1.9.49 and Android application version Kevo 2.9.1.21765p. Systems Affected: Kevo smart locks, including Kevo Contemporary Author: Sultan Qasim Khan Risk: <6.8 CVSS v3.1 AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N> - An attacker within BLE signal range of a smartphone … Continue reading Technical Advisory – Kwikset/Weiser BLE Proximity Authentication in Kevo Smart Locks Vulnerable to Relay Attacks

Technical Advisory – Tesla BLE Phone-as-a-Key Passive Entry Vulnerable to Relay Attacks

Vendor: Tesla, Inc. Vendor URL: https://www.tesla.com Versions affected: Attack tested with vehicle software v11.0 (2022.8.2 383989fadeea) and iOS app 4.6.1-891 (3784ebe63). Systems Affected: Attack tested on Model 3. Model Y is likely also affected. Author: Sultan Qasim Khan <sultan.qasimkhan[at]nccgroup[dot]com> Risk: <6.8 CVSS v3.1 AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N> An attacker within Bluetooth signal range of a mobile device configured … Continue reading Technical Advisory – Tesla BLE Phone-as-a-Key Passive Entry Vulnerable to Relay Attacks

Technical Advisory – BLE Proximity Authentication Vulnerable to Relay Attacks

Vendor: Bluetooth SIG, Inc. Vendor URL: https://www.bluetooth.com Versions Affected: Specification versions 4.0 to 5.3 Systems Affected: Any systems relying on the presence of a Bluetooth LE connection as confirmation of physical proximity, regardless of whether link layer encryption is used Author: <Sultan Qasim Khan> <sultan.qasimkhan[at]nccgroup[dot]com> Risk: An attacker can falsely indicate the proximity of Bluetooth … Continue reading Technical Advisory – BLE Proximity Authentication Vulnerable to Relay Attacks

Technical Advisory – Lenovo ImController Local Privilege Escalation (CVE-2021-3922, CVE-2021-3969)

Vendor: Lenovo Vendor URL: https://www.lenovo.com/ Versions affected: 1.1.20.2 Systems Affected: Windows Author: rick.veldhoven@fox-it.com Advisory URL: https://support.lenovo.com/us/en/product_security/LEN-75210 CVE Identifier: CVE-2021-3922, CVE-2021-3969 Risk: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:R CVSSv3.1: 7.1 Summary The ImController service comes installed on certain Lenovo devices, for example NCC found the service installed on a ThinkPad workstation. The service runs as the SYSTEM user and periodically executes … Continue reading Technical Advisory – Lenovo ImController Local Privilege Escalation (CVE-2021-3922, CVE-2021-3969)