Six vulnerabilities in the widely used U-Boot bootloader have been discovered that could allow attackers to execute malicious code during device boot, potentially enabling stealthy firmware attacks that compromise security protections and install persistent malware.
U-Boot is one of the world's most widely used open-source bootloaders and is found in many embedded Linux devices, including enterprise servers' Baseboard Management Controllers (BMCs), networking equipment, industrial systems, IoT devices, and other appliances.
Because U-Boot is responsible for loading the operating system, vulnerabilities in the bootloader can allow attackers to compromise a device before the operating system and its security software have a chance to start.
One of its security features, known as Verified Boot, uses cryptographic signatures to ensure that only firmware and operating system images signed by a trusted key are loaded during startup.
In a report published this week, firmware security company Binarly disclosed six vulnerabilities in U-Boot's FIT (Flattened Image Tree) signature verification code.













