In the assembly system buildroot, which is used for creating bootable Linux images for embedded systems, six vulnerabilities have been discovered that allow for transit traffic (MITM) to modify the generated system images or manipulate the code execution at the assembly system level. The vulnerabilities have been resolved in the latest releases: Buildroot 2023.02.8, 2023.08.4, and 2023.11.
The first vulnerability (CVE-2023-45839 and CVE-2023-45840) affects the code responsible for checking the integrity of packages based on their hash values. The issues arise from the use of HTTP for file downloads and the lack of hash file verification for certain packages, which enables an attacker to replace the content of the packages and manipulate the traffic of the assembly server. This vulnerability has been eliminated in the latest Buildroot releases.
In particular, the packages Aufs and Aufs-Util were loaded via HTTP and not checked by their hash values. The same issue existed for the RISCV64-elf-Toolchain, Versal-Firmware, and MXSLDR packages, which were originally loaded via HTTPS but would fall back to HTTP if any problems occurred. Without the presence of hash files, the Buildroot tools considered the verification successful and proceeded to process the loaded packages, including any patches or makefiles added by the attacker. This allowed for changes to the resulting system image scripts and potential execution of manipulated code. The vulnerabilities have been successfully addressed.
Another vulnerability discovered in the assembly system allowed disabling the integrity test for selective packages. Certain packages, such as Linux, U-Boot, and Versal-Firmware, permitted the loading of the latest versions without undergoing the hash test. This was achieved through the usage of the “BR_NO_CHECK_HASH_FOR” option. Data was loaded via HTTPS, but in case of a download