CVE-2020-25860 - Vulnerability Details - OpenCVE

The install.c module in the Pengutronix RAUC update client prior to version 1.5 has a Time-of-Check Time-of-Use vulnerability, where signature verification on an update file takes place before the file is reopened for installation. An attacker who can modify the update file just before it is reopened can install arbitrary code on the device.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity High

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Pengutronix	Rauc

Configuration 1 [-]

cpe:2.3:a:pengutronix:rauc:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/rauc/rauc/security/advisories/GHSA-cgf3-h62j-w9vv
https://www.vdoo.com/blog/cve-2020-25860-significant-vulnerability-discovered-rauc-embedded-firmware-update-framework

History

No history.

MITRE

Status: PUBLISHED

Assigner: VDOO

Published: 2020-12-21T17:23:27

Updated: 2024-08-04T15:49:05.940Z

Reserved: 2020-09-23T00:00:00

Link: CVE-2020-25860

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-12-21T18:15:15.227

Modified: 2024-11-21T05:18:55.440

Link: CVE-2020-25860

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Pengutronix RAUC", "vendor": "n/a", "versions": [{"status": "affected", "version": "All versions before 1.5"}]}], "descriptions": [{"lang": "en", "value": "The install.c module in the Pengutronix RAUC update client prior to version 1.5 has a Time-of-Check Time-of-Use vulnerability, where signature verification on an update file takes place before the file is reopened for installation. An attacker who can modify the update file just before it is reopened can install arbitrary code on the device."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-367", "description": "Time-of-Check Time-of-Use (CWE-367)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-12-21T17:23:27", "orgId": "6b4ace4a-d6e0-415b-9ce8-aa20e97e4b24", "shortName": "VDOO"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/rauc/rauc/security/advisories/GHSA-cgf3-h62j-w9vv"}, {"tags": ["x_refsource_MISC"], "url": "https://www.vdoo.com/blog/cve-2020-25860-significant-vulnerability-discovered-rauc-embedded-firmware-update-framework"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vuln@vdoo.com", "ID": "CVE-2020-25860", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Pengutronix RAUC", "version": {"version_data": [{"version_value": "All versions before 1.5"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The install.c module in the Pengutronix RAUC update client prior to version 1.5 has a Time-of-Check Time-of-Use vulnerability, where signature verification on an update file takes place before the file is reopened for installation. An attacker who can modify the update file just before it is reopened can install arbitrary code on the device."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Time-of-Check Time-of-Use (CWE-367)"}]}]}, "references": {"reference_data": [{"name": "https://github.com/rauc/rauc/security/advisories/GHSA-cgf3-h62j-w9vv", "refsource": "MISC", "url": "https://github.com/rauc/rauc/security/advisories/GHSA-cgf3-h62j-w9vv"}, {"name": "https://www.vdoo.com/blog/cve-2020-25860-significant-vulnerability-discovered-rauc-embedded-firmware-update-framework", "refsource": "MISC", "url": "https://www.vdoo.com/blog/cve-2020-25860-significant-vulnerability-discovered-rauc-embedded-firmware-update-framework"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T15:49:05.940Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/rauc/rauc/security/advisories/GHSA-cgf3-h62j-w9vv"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.vdoo.com/blog/cve-2020-25860-significant-vulnerability-discovered-rauc-embedded-firmware-update-framework"}]}]}, "cveMetadata": {"assignerOrgId": "6b4ace4a-d6e0-415b-9ce8-aa20e97e4b24", "assignerShortName": "VDOO", "cveId": "CVE-2020-25860", "datePublished": "2020-12-21T17:23:27", "dateReserved": "2020-09-23T00:00:00", "dateUpdated": "2024-08-04T15:49:05.940Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pengutronix:rauc:*:*:*:*:*:*:*:*", "matchCriteriaId": "43D4968A-EE56-46FC-8E96-497D5B385F1F", "versionEndExcluding": "1.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The install.c module in the Pengutronix RAUC update client prior to version 1.5 has a Time-of-Check Time-of-Use vulnerability, where signature verification on an update file takes place before the file is reopened for installation. An attacker who can modify the update file just before it is reopened can install arbitrary code on the device."}, {"lang": "es", "value": "El m\u00f3dulo install.c en el cliente de actualizaci\u00f3n de Pengutronix RAUC versiones anteriores a 1.5, presenta una vulnerabilidad Time-of-Check Time-of-Use, donde la verificaci\u00f3n de la firma en un archivo de actualizaci\u00f3n toma lugar antes de que el archivo reabierto para la instalaci\u00f3n. Un atacante que pueda modificar el archivo de actualizaci\u00f3n justo antes de que se vuelva a abrir puede instalar c\u00f3digo arbitrario en el dispositivo"}], "id": "CVE-2020-25860", "lastModified": "2024-11-21T05:18:55.440", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 7.1, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:H/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-12-21T18:15:15.227", "references": [{"source": "vuln@vdoo.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/rauc/rauc/security/advisories/GHSA-cgf3-h62j-w9vv"}, {"source": "vuln@vdoo.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.vdoo.com/blog/cve-2020-25860-significant-vulnerability-discovered-rauc-embedded-firmware-update-framework"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/rauc/rauc/security/advisories/GHSA-cgf3-h62j-w9vv"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.vdoo.com/blog/cve-2020-25860-significant-vulnerability-discovered-rauc-embedded-firmware-update-framework"}], "sourceIdentifier": "vuln@vdoo.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-367"}], "source": "vuln@vdoo.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-367"}], "source": "nvd@nist.gov", "type": "Primary"}]}