The install.c module in the Pengutronix RAUC update client prior to version 1.5 has a Time-of-Check Time-of-Use vulnerability, where signature verification on an update file takes place before the file is reopened for installation. An attacker who can modify the update file just before it is reopened can install arbitrary code on the device.
References
Link | Resource |
---|---|
https://github.com/rauc/rauc/security/advisories/GHSA-cgf3-h62j-w9vv | Exploit Third Party Advisory |
https://www.vdoo.com/blog/cve-2020-25860-significant-vulnerability-discovered-rauc-embedded-firmware-update-framework | Exploit Third Party Advisory |
https://github.com/rauc/rauc/security/advisories/GHSA-cgf3-h62j-w9vv | Exploit Third Party Advisory |
https://www.vdoo.com/blog/cve-2020-25860-significant-vulnerability-discovered-rauc-embedded-firmware-update-framework | Exploit Third Party Advisory |
Configurations
History
21 Nov 2024, 05:18
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/rauc/rauc/security/advisories/GHSA-cgf3-h62j-w9vv - Exploit, Third Party Advisory | |
References | () https://www.vdoo.com/blog/cve-2020-25860-significant-vulnerability-discovered-rauc-embedded-firmware-update-framework - Exploit, Third Party Advisory |
Information
Published : 2020-12-21 18:15
Updated : 2024-11-21 05:18
NVD link : CVE-2020-25860
Mitre link : CVE-2020-25860
CVE.ORG link : CVE-2020-25860
JSON object : View
Products Affected
pengutronix
- rauc
CWE
CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition