Brother
Professional
- Messages
- 2,590
- Reaction score
- 539
- Points
- 113
In the Buildroot build system, which is aimed at creating bootable Linux environments for embedded systems, six vulnerabilities were identified that allow making changes to the generated system images or organizing code execution at the build system level during transit traffic interception (MITM). The vulnerabilities were fixed in Buildroot releases 2023.02.8, 2023.08.4, and 2023.11.
The first five vulnerabilities (CVE-2023-45841, CVE-2023-45842, CVE-2023-45838, CVE-2023-45839, CVE-2023-45840) affect the packet integrity verification code by hashes. The problems are limited to the possibility of using HTTP for uploading files and the absence of verification hash files for some packages, which allows you to substitute the contents of these packages, having the ability to break into the traffic of the build server (for example, when a user connects via a wireless network controlled by an attacker).
In particular, the aufs and aufs-util packages were loaded over HTTP and were not checked for hashes. Hashes were also missing for riscv64-elf-toolchain, versal-firmware, and mxsldr packages, which were loaded via HTTPS by default, but were rolled back to download without encryption from the host in case of problems http://sources.buildroot.net. If there are no files ".hash " the Buildroot toolkit considered the check successful and processed the downloaded packages, including applying patches included in the packages and running build scripts. Having the ability to replace the downloaded packages, the attacker could add their own patches or Makefiles to them, which allowed them to make changes to the resulting image or scripts of the build system and get their code executed.
The sixth vulnerability (CVE-2023-43608) is caused by an error in the implementation of the BR_NO_CHECK_HASH_FOR functionality, which allows you to disable hash integrity checking for selected packets. Some packages, such as the Linux kernel, U-Boot, and versal-firmware, allowed loading the latest versions, for which verification hashes have not yet been generated. For these versions, the BR_NO_CHECK_HASH_FOR option was used, which disables hash checking. Data was uploaded via HTTPS, but by default, if the download failed, a rollback was used to access the site. source.buildroot.net without encryption over the http://protocol. An attacker during a MITM attack could block the connection to the HTTPS server and then the download was rolled back to http://sources.buildroot.net.
The first five vulnerabilities (CVE-2023-45841, CVE-2023-45842, CVE-2023-45838, CVE-2023-45839, CVE-2023-45840) affect the packet integrity verification code by hashes. The problems are limited to the possibility of using HTTP for uploading files and the absence of verification hash files for some packages, which allows you to substitute the contents of these packages, having the ability to break into the traffic of the build server (for example, when a user connects via a wireless network controlled by an attacker).
In particular, the aufs and aufs-util packages were loaded over HTTP and were not checked for hashes. Hashes were also missing for riscv64-elf-toolchain, versal-firmware, and mxsldr packages, which were loaded via HTTPS by default, but were rolled back to download without encryption from the host in case of problems http://sources.buildroot.net. If there are no files ".hash " the Buildroot toolkit considered the check successful and processed the downloaded packages, including applying patches included in the packages and running build scripts. Having the ability to replace the downloaded packages, the attacker could add their own patches or Makefiles to them, which allowed them to make changes to the resulting image or scripts of the build system and get their code executed.
The sixth vulnerability (CVE-2023-43608) is caused by an error in the implementation of the BR_NO_CHECK_HASH_FOR functionality, which allows you to disable hash integrity checking for selected packets. Some packages, such as the Linux kernel, U-Boot, and versal-firmware, allowed loading the latest versions, for which verification hashes have not yet been generated. For these versions, the BR_NO_CHECK_HASH_FOR option was used, which disables hash checking. Data was uploaded via HTTPS, but by default, if the download failed, a rollback was used to access the site. source.buildroot.net without encryption over the http://protocol. An attacker during a MITM attack could block the connection to the HTTPS server and then the download was rolled back to http://sources.buildroot.net.
