CVE-2020-25860

Sažetak

The install.c module in the Pengutronix RAUC update client prior to version 1.5 has a Time-of-Check Time-of-Use vulnerability, where signature verification on an update file takes place before the file is reopened for installation. An attacker who can modify the update file just before it is reopened can install arbitrary code on the device.

Reference

https://github.com/rauc/rauc/security/advisories/GHSA-cgf3-h62j-w9vv
https://www.vdoo.com/blog/cve-2020-25860-significant-vulnerability-discovered-rauc-embedded-firmware-update-framework

CVSS

Base:	7.1
Impact:	10.0
Exploitability:	3.9

Pristup

Vektor	Složenost	Autentikacija
NETWORK	HIGH	SINGLE

Impact

Povjerljivost	Cjelovitost	Dostupnost
COMPLETE	COMPLETE	COMPLETE

CVSS vektor

AV:N/AC:H/Au:S/C:C/I:C/A:C

Zadnje važnije ažuriranje

29-12-2020 - 14:36

Objavljeno

21-12-2020 - 18:15