- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- Wireless Connectivity
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- MCUXpresso Training Hub
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- Home
- :
- i.MX Security
- :
- Knowledge Base
- :
- U-Boot Secondary Program Loader Authentication Vulnerability - CVE-2023-39902
U-Boot Secondary Program Loader Authentication Vulnerability - CVE-2023-39902
- Subscribe to RSS Feed
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
U-Boot Secondary Program Loader Authentication Vulnerability - CVE-2023-39902
U-Boot Secondary Program Loader Authentication Vulnerability - CVE-2023-39902
Overview
A software vulnerability - CVE-2023-39902 has been identified in the U-Boot Secondary Program Loader (SPL) prior to version 2023.07 on select i.MX 8M family processors. Under certain conditions, a crafted Flattened Image Tree (FIT) Format structure can be used to overwrite SPL memory, allowing unauthenticated software to execute on the target leading to a privilege escalation.
Impacted devices
|
NXP Devices |
Impacted Silicon Revisions |
|
i.MX 8M |
All |
|
i.MX 8M Nano |
All |
|
i.MX 8M Mini |
All |
|
i.MX 8M Plus |
All |
Mitigation
This section will cover possible mitigations identified by NXP and recommends users review this vulnerability against their specific use cases. These mitigations may have varying applicability based on the customer’s designs and should be reviewed based on the established security policy that defines the security goals of the end product. It is up to the user to determine the impact (if any) to their products and take any necessary mitigation actions.
U-Boot software patches to address this vulnerability(CVE-2023-39902) were incorporated in the NXP BSP GA Release LF6.1.36_2.1.0 available for download on nxp.com. All subsequent NXP BSP GA software releases will incorporate the mitigations.
To support the default hash and optional FDT signature solutions - four patches for u-boot (one patch only required for Android and one for a document update), and two patches for imx-mkimage have been developed. Only one mitigation solution needs to be adopted if impacted.
|
|
Mitigation Patches |
Comments |
|
U-Boot |
0746cfd LFU-573-1 imx8m: hab:Verify hash of FIT FDT structure |
Default Hash solution |
|
07b6882 LFU-573-2 imx8m: hab:Verify optional FIT FDT signature |
Optional FIT DT signature solution |
|
|
Only Required for Android |
||
|
Documentation update |
||
|
imx-mkimage |
Default Hash solution |
|
|
Optional FIT DT signature solution |
Additional Information
Customers authenticating additional software images from a bootloader not provided by an NXP BSP, should ensure correct authentication is being performed.
For additional information, please contact your NXP Account Manager or Field Representative. You can also enter a technical support ticket and an NXP support engineer will contact you.
Acknowledgment
NXP would like to thank Marek Vasut of DENX Software Engineering GmbH for the responsible disclosure.
_____________________________________________________________________________
Please note this information is preliminary and subject to change. To the best of NXP's knowledge, the information contained herein is accurate and reliable as of the date of publication; however, NXP does not assume any liability for the accuracy and completeness of the information
