CVE-2024-32883

Name of the Vulnerable Software and Affected Versions MCUboot (affected versions not specified)

Description The issue concerns MCUboot, a secure bootloader for 32-bit microcontrollers, which uses a TLV (tag-length-value) structure to represent image metadata. This structure is divided into protected and unprotected sections, with protected TLV entries included in the image signature to prevent tampering. However, the code fails to distinguish between TLV entries that should be protected and those that should not, allowing an attacker to add unprotected TLV entries that should be protected. The primary protected TLV entries include the dependency indication and the boot record. An attacker could inject a dependency value, causing an otherwise acceptable image to be rejected, or inject a boot record, potentially allowing an image to appear as having properties it should not have.

Recommendations As a temporary workaround, consider disabling the boot record functionality until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.