Vulnerability Details CVE-2020-10648
Das U-Boot through 2020.01 allows attackers to bypass verified boot restrictions and subsequently boot arbitrary images by providing a crafted FIT image to a system configured to boot the default configuration.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 40.3%
CVSS Severity
CVSS v3 Score 7.8
CVSS v2 Score 6.8
References
- http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00030.html
- http://www.openwall.com/lists/oss-security/2020/03/18/5
- https://github.com/u-boot/u-boot/commits/master
- https://labs.f-secure.com/advisories/das-u-boot-verified-boot-bypass/
- http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00030.html
- http://www.openwall.com/lists/oss-security/2020/03/18/5
- https://github.com/u-boot/u-boot/commits/master
- https://labs.f-secure.com/advisories/das-u-boot-verified-boot-bypass/
Products affected by CVE-2020-10648
-
cpe:2.3:a:denx:u-boot:-
-
cpe:2.3:a:denx:u-boot:0.2.0
-
cpe:2.3:a:denx:u-boot:0.2.3
-
cpe:2.3:a:denx:u-boot:0.3.0
-
cpe:2.3:a:denx:u-boot:0.3.1
-
cpe:2.3:a:denx:u-boot:0.4.0
-
cpe:2.3:a:denx:u-boot:0.4.1
-
cpe:2.3:a:denx:u-boot:0.4.2
-
cpe:2.3:a:denx:u-boot:0.4.3
-
cpe:2.3:a:denx:u-boot:0.4.4
-
cpe:2.3:a:denx:u-boot:0.4.5
-
cpe:2.3:a:denx:u-boot:0.4.6
-
cpe:2.3:a:denx:u-boot:0.4.7
-
cpe:2.3:a:denx:u-boot:0.4.8
-
cpe:2.3:a:denx:u-boot:1.0.0
-
cpe:2.3:a:denx:u-boot:1.0.1
-
cpe:2.3:a:denx:u-boot:1.0.2
-
cpe:2.3:a:denx:u-boot:1.1.0
-
cpe:2.3:a:denx:u-boot:1.1.1
-
cpe:2.3:a:denx:u-boot:1.1.2
-
cpe:2.3:a:denx:u-boot:1.1.3
-
cpe:2.3:a:denx:u-boot:1.1.4
-
cpe:2.3:a:denx:u-boot:1.1.5
-
cpe:2.3:a:denx:u-boot:1.1.6
-
cpe:2.3:a:denx:u-boot:1.2.0
-
cpe:2.3:a:denx:u-boot:1.3.0
-
cpe:2.3:a:denx:u-boot:1.3.1
-
cpe:2.3:a:denx:u-boot:1.3.3
-
cpe:2.3:a:denx:u-boot:1.3.4
-
cpe:2.3:a:denx:u-boot:2008.10
-
cpe:2.3:a:denx:u-boot:2009.01
-
cpe:2.3:a:denx:u-boot:2009.03
-
cpe:2.3:a:denx:u-boot:2009.06
-
cpe:2.3:a:denx:u-boot:2009.08
-
cpe:2.3:a:denx:u-boot:2009.11
-
cpe:2.3:a:denx:u-boot:2009.11.1
-
cpe:2.3:a:denx:u-boot:2010.03
-
cpe:2.3:a:denx:u-boot:2010.06
-
cpe:2.3:a:denx:u-boot:2010.09
-
cpe:2.3:a:denx:u-boot:2010.12
-
cpe:2.3:a:denx:u-boot:2011.03
-
cpe:2.3:a:denx:u-boot:2011.04.01
-
cpe:2.3:a:denx:u-boot:2011.06
-
cpe:2.3:a:denx:u-boot:2011.09
-
cpe:2.3:a:denx:u-boot:2011.12
-
cpe:2.3:a:denx:u-boot:2012.04
-
cpe:2.3:a:denx:u-boot:2012.04.01
-
cpe:2.3:a:denx:u-boot:2012.07
-
cpe:2.3:a:denx:u-boot:2012.10
-
cpe:2.3:a:denx:u-boot:2013.01
-
cpe:2.3:a:denx:u-boot:2013.01.01
-
cpe:2.3:a:denx:u-boot:2013.04
-
cpe:2.3:a:denx:u-boot:2013.07
-
cpe:2.3:a:denx:u-boot:2013.10
-
cpe:2.3:a:denx:u-boot:2014.01
-
cpe:2.3:a:denx:u-boot:2014.04
-
cpe:2.3:a:denx:u-boot:2014.07
-
cpe:2.3:a:denx:u-boot:2014.10
-
cpe:2.3:a:denx:u-boot:2015.01
-
cpe:2.3:a:denx:u-boot:2015.04
-
cpe:2.3:a:denx:u-boot:2015.07
-
cpe:2.3:a:denx:u-boot:2015.10
-
cpe:2.3:a:denx:u-boot:2016.01
-
cpe:2.3:a:denx:u-boot:2016.03
-
cpe:2.3:a:denx:u-boot:2016.05
-
cpe:2.3:a:denx:u-boot:2016.07
-
cpe:2.3:a:denx:u-boot:2016.09
-
cpe:2.3:a:denx:u-boot:2016.09.01
-
cpe:2.3:a:denx:u-boot:2016.11
-
cpe:2.3:a:denx:u-boot:2017.01
-
cpe:2.3:a:denx:u-boot:2017.03
-
cpe:2.3:a:denx:u-boot:2017.05
-
cpe:2.3:a:denx:u-boot:2017.07
-
cpe:2.3:a:denx:u-boot:2017.09
-
cpe:2.3:a:denx:u-boot:2017.11
-
cpe:2.3:a:denx:u-boot:2018.01
-
cpe:2.3:a:denx:u-boot:2020.01
-
cpe:2.3:o:opensuse:leap:15.2