CVE-2020-10648: 
Linux Debian vulnerability analysis and mitigation

Das U-Boot through 2020.01 contains a vulnerability that allows attackers to bypass verified boot restrictions and subsequently boot arbitrary images. This is achieved by providing a crafted FIT (Flattened Image Tree) image to a system configured to boot the default configuration. The vulnerability was discovered on January 22, 2020, and was publicly disclosed on March 18, 2020, after being assigned CVE-2020-10648 (F-Secure Advisory, OSS Security).

The vulnerability exists in U-Boot's verified boot feature which is used for verifying integrity and authenticity of loaded images. The issue stems from U-Boot's failure to verify that the contents of 'hashed-nodes' correlate with the sub-images required to be loaded by the configuration. This allows attackers to craft another configuration with the same signature node but referencing different sub-images. The vulnerability affects U-Boot versions 2018.03 and 2020.01, with earlier versions potentially affected as well (OSS Security).

An attacker with access to a properly signed FIT image can craft arbitrary FIT images that would pass signature validation, resulting in booting and execution of untrusted code. The exploitation relies on the attacker's ability to modify the 'default' property of the 'configurations' node when the setup does not explicitly choose to boot a specific configuration (OSS Security).

A temporary mitigation is to explicitly specify the configuration name as part of the 'bootm' command arguments, for example: 'bootm ${loadaddr}#conf@1 - ${fdtaddr}'. For a permanent fix, users should apply the patches provided or update to a fixed version when available (OSS Security).