FKIE_CVE-2024-1633

Vulnerability from fkie_nvd - Published: 2024-02-19 17:15 - Updated: 2025-01-24 15:21
Severity ?
2.0 (Low) - CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
2.0 (Low) - CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
During the secure boot, bl2 (the second stage of the bootloader) loops over images defined in the table “bl2_mem_params_descs”. For each image, the bl2 reads the image length and destination from the image’s certificate. Because of the way of reading from the image, which base on 32-bit unsigned integer value, it can result to an integer overflow. An attacker can bypass memory range restriction and write data out of buffer bounds, which could result in bypass of secure boot. Affected git version from c2f286820471ed276c57e603762bd831873e5a17 until (not 
References
cve@asrg.iohttps://asrg.io/security-advisories/CVE-2024-1633/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://asrg.io/security-advisories/CVE-2024-1633/Third Party Advisory
Impacted products
Vendor Product Version
renesas arm-trusted-firmware rcar_gen3_2.5
renesas r-car_d3e -
renesas r-car_e3e -
renesas r-car_h3e -
renesas r-car_h3ne -
renesas r-car_m3e -
renesas r-car_m3ne -
renesas r-car_v3h -
renesas r-car_v3h2 -
renesas r-car_v3m -
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:renesas:arm-trusted-firmware:rcar_gen3_2.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "A34F3FE3-C1EE-4C6B-8323-D82590784CA5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:renesas:r-car_d3e:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "7B20C33B-DBE7-41B5-8934-A457D0406247",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:renesas:r-car_e3e:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "6BB57A69-E624-4CE6-B3BE-3095DD52DF21",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:renesas:r-car_h3e:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "16309BD2-C8EE-49BE-9C0E-6785AD5B5AE8",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:renesas:r-car_h3ne:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "5AA982FE-883B-488E-8C33-956FFEE78124",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:renesas:r-car_m3e:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "E5C59110-27F5-4D0D-83D1-293A154CEC54",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:renesas:r-car_m3ne:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "B33C8369-B9E4-47E2-AA28-64E320B88E3E",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:renesas:r-car_v3h:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4E89977-FF22-49AD-A250-A5259BCF2899",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:renesas:r-car_v3h2:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "9D4041BE-312D-4BEE-85A6-09B8BD71627D",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:renesas:r-car_v3m:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "5EBC200B-D7C2-4075-92EC-A508A11F1379",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "During the secure boot, bl2 (the second stage of\nthe bootloader) loops over images defined in the table \u201cbl2_mem_params_descs\u201d.\nFor each image, the bl2 reads the image length and destination from the image\u2019s\ncertificate.\u00a0Because of the way of reading from the image, which base on\u00a032-bit unsigned integer value, it can result to\u00a0an integer overflow.\u00a0An attacker can bypass memory range restriction and write data out of buffer bounds, which could result in bypass of secure boot.\n\n Affected git version from\u00a0c2f286820471ed276c57e603762bd831873e5a17 until (not\u00a0\n"
    },
    {
      "lang": "es",
      "value": "Durante el arranque seguro, bl2 (la segunda etapa del gestor de arranque) recorre las im\u00e1genes definidas en la tabla \"bl2_mem_params_descs\". Para cada imagen, el bl2 lee la longitud y el destino de la imagen en el certificado de la imagen. Debido a la forma de leer la imagen, que se basa en un valor entero sin signo de 32 bits, puede provocar un desbordamiento de enteros. Un atacante puede eludir la restricci\u00f3n del rango de memoria y escribir datos fuera de los l\u00edmites del b\u00fafer, lo que podr\u00eda provocar la omisi\u00f3n del inicio seguro. Versi\u00f3n de git afectada desde c2f286820471ed276c57e603762bd831873e5a17 hasta (no"
    }
  ],
  "id": "CVE-2024-1633",
  "lastModified": "2025-01-24T15:21:06.727",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "PHYSICAL",
          "availabilityImpact": "NONE",
          "baseScore": 2.0,
          "baseSeverity": "LOW",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 0.5,
        "impactScore": 1.4,
        "source": "cve@asrg.io",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "PHYSICAL",
          "availabilityImpact": "NONE",
          "baseScore": 2.0,
          "baseSeverity": "LOW",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 0.5,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-02-19T17:15:08.347",
  "references": [
    {
      "source": "cve@asrg.io",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://asrg.io/security-advisories/CVE-2024-1633/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://asrg.io/security-advisories/CVE-2024-1633/"
    }
  ],
  "sourceIdentifier": "cve@asrg.io",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-190"
        }
      ],
      "source": "cve@asrg.io",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-190"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.