ToCToU in Pengutronix RAUC allows attackers to bypass signature verification
RAUC (, 1.5), fixed in 1.5
The Pengutronix RAUC ("Robust Auto-Update Controller") is an open-source update client intended for Linux-based embedded devices, with support for many types of common bootloaders and filesystems.
Attackers can modify the update file during the installation process to make RAUC install an arbitrary, unverified payload. The attackers have to modify the update file to exploit the vulnerability, so they must either run code on the device with permissions to modify the file or have physical access to the storage. If RAUC accepts updates from the network, stores them in a single location, and is configured not to prevent repeated uploads while an installation is in progress, the vulnerability can be exploited remotely. The example CGI interface provided by RAUC does not allow repeated uploads.
The RAUC function check_bundle()
in module install.c
uses OpenSSL to verify the file's signature, but it then closes the bundle file and does not retain its contents in any way. Another function, mount_bundle()
, is then called to extract the contents of the update image. This function opens the file with a new sub-process and rereads its content from storage, making a time-of-check to time-of-use attack possible, since the attacker can replace or modify the update file in the period of time before the invocation of mount_bundle()
.
The vulnerability was discovered by JFrog researchers.
No PoC is supplied for this issue
No vulnerability mitigations are supplied for this issue
(JFrog) Vulnerability Discovered in RAUC Embedded Firmware Update