U-Boot Secondary Program Loader Authentication Vulnerability - CVE-2023-39902

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

U-Boot Secondary Program Loader Authentication Vulnerability - CVE-2023-39902

U-Boot Secondary Program Loader Authentication Vulnerability - CVE-2023-39902

Overview

A software vulnerability - CVE-2023-39902 has been identified in the U-Boot Secondary Program Loader (SPL) prior to version 2023.07 on select i.MX 8M family processors. Under certain conditions, a crafted Flattened Image Tree (FIT) Format structure can be used to overwrite SPL memory, allowing unauthenticated software to execute on the target leading to a privilege escalation. 

Impacted devices

NXP Devices

Impacted Silicon Revisions

i.MX 8M

All

i.MX 8M Nano

All

i.MX 8M Mini

All

i.MX 8M Plus

All

 

Mitigation

This section will cover possible mitigations identified by NXP and recommends users review this vulnerability against their specific use cases.  These mitigations may have varying applicability based on the customer’s designs and should be reviewed based on the established security policy that defines the security goals of the end product. It is up to the user to determine the impact (if any) to their products and take any necessary mitigation actions.

U-Boot software patches to address this vulnerability(CVE-2023-39902) were incorporated in the NXP BSP GA Release  LF6.1.36_2.1.0 available for download on nxp.com. All subsequent NXP BSP GA software releases will incorporate the mitigations.

To support the default hash and optional FDT signature solutions - four patches for u-boot (one patch only required for Android and one for a document update),  and two patches for imx-mkimage have been developed. Only one mitigation solution needs to be adopted if impacted.

 

 

Mitigation Patches

Comments

U-Boot

0746cfd LFU-573-1 imx8m: hab:Verify hash of FIT FDT structure

Default Hash solution

07b6882 LFU-573-2 imx8m: hab:Verify optional FIT FDT signature

Optional FIT DT signature solution

0001-MA-21597 check spl fit pointer before parsing it

Only Required for Android

25fdc42 LFU-573-3 doc: imx8m:

Update iMX8M secure boot and encrypted boot doc

Documentation update

imx-mkimage

2f2d426 LFU-573-1 imx8m:

Generate hash of FIT FDT structure to SPL image

Default Hash solution

5a0faef LFU-573-2 imx8m:

Reserve new IVT+CSF for FIT FDT signature

Optional FIT DT signature solution

 

Additional Information

Customers authenticating additional software images from a bootloader not provided by an NXP BSP, should ensure correct authentication is being performed.

For additional information, please contact your NXP Account Manager or Field Representative. You can also enter a technical support ticket and an NXP support engineer will contact you.

Acknowledgment

NXP would like to thank  Marek Vasut of DENX Software Engineering GmbH for the responsible disclosure.

_____________________________________________________________________________

Please note this information is preliminary and subject to change. To the best of NXP's knowledge, the information contained herein is accurate and reliable as of the date of publication; however, NXP does not assume any liability for the accuracy and completeness of the information

 
 
100% helpful (1/1)
Version history
Last update:
‎10-17-2023 06:52 AM
Updated by: