Preface: U-Boot is both a first-stage and second-stage bootloader. It is loaded by the system’s ROM (e.g. on-chip ROM of an ARM CPU) from a supported boot device, such as an SD card, SATA drive, NOR flash (e.g. using SPI or I²C), or NAND flash.

Background: Das U-Boot is an open source, primary boot loader used in embedded devices to package the instructions to boot the device’s operating system kernel. U-Boot uses commands similar to the BASH shell to manipulate environment variables. U-Boot supports TFTP (Trivial FTP), a stripped down FTP. So that user authentication is not required for downloading images into the board’s RAM

LK is the abbreviation of Little Kernel. LK is commonly used as bootloader in the Android system of Qualcomm platform. It is an open source project. LK is the boot part of the whole system, so it is not independent. However, LK currently only supports arm and x86 architectures. The notable feature of LK is that it implements a simple thread mechanism. And deeply customized and used with Qualcomm’s processors.

Vulnerability details: Integer overflows in memory allocation in Das U-Boot before 2025.01-rc1 occur for a crafted squashfs filesystem via sbrk, via request2size, or because ptrdiff_t is mishandled on x86_64.

Remark: An integer overflow is a type of software vulnerability that occurs when a variable, such as an integer, exceeds its assigned memory space. This can result in unexpected behavior or security issues, such as allowing an attacker to execute arbitrary code.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-57258

Preface: If artificial intelligence could create the world. Do you know how his creation differs from Genesis? Artificial intelligence focuses on efficiency, and everything needs to be fast.

But God is concerned with the balance of nature. Therefore, the development of everything is not rapid.

Background: HTTP/2 enables full request and response multiplexing. In practice, this means a connection made to a web server from your browser can be used to send multiple requests and receive multiple responses. This eliminates some of the time it takes to establish a new connection for each request.

The GOAWAY frame in HTTP/2 (type=0x7) is used to initiate the shutdown of a connection or to signal serious error conditions. When a server sends a GOAWAY frame, it tells the client to stop creating new streams on the connection. However, it allows the server to finish processing any streams that were already in progress. This mechanism is useful for administrative actions, such as server maintenance, as it allows for a graceful shutdown without abruptly terminating ongoing request.

Vulnerability details: A memory leak could occur when a remote peer abruptly closes the socket without sending a GOAWAY notification. Additionally, if an invalid header was detected by nghttp2, causing the connection to be terminated by the peer, the same leak was triggered. This flaw could lead to increased memory consumption and potential denial of service under certain conditions. This vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x.

Official announcement: Please refer to the link for details – https://access.redhat.com/errata/RHSA-2025:1613

Originally posted by AMD 3^rd Feb 2025

Updated Acknowledgement – 2025-02-17

Preface: FIPS 186-5 removes DSA as an approved digital signature algorithm “due to a lack of use by industry and based on academic analyses that observed that implementations of DSA may be vulnerable to attacks if domain parameters are not properly generated.

February 3, 2023 – NIST published Federal Information Processing Standard (FIPS) 186-5, Digital Signature Standard (DSS), along with NIST Special Publication (SP) 800-186, Recommendations for Discrete Logarithm-based Cryptography: Elliptic Curve Domain Parameters.  

Background: The SEV feature relies on elliptic-curve cryptography for its secure key generation, which runs when a VM is launched. The VM initiates the elliptic-curve algorithm by providing points along its NIST (National Institute of Standards and Technology) curve and relaying the data based on the private key of the machine.

Vulnerability details: AMD has received a report from researchers at National Taiwan University detailing cache-based side-channel attacks against Secure Encrypted Virtualization (SEV).

Remedy: AMD recommends software developers employ existing best practices for prime and probe attacks (including constant-time algorithms) and avoid secret-dependent data accesses where appropriate.  AMD also recommends following previously published guidance regarding Spectre type attacks (refer to the link in the reference section below), as it believes the previous guidance remains applicable to mitigate these vulnerabilities.

Supplement: The lack of authentication in the memory encryption is one major drawback of the Secure Memory Encryption (SME) design, which has been demonstrated in fault injection attacks. SEV inherits this security issue. Therefore, a malicious hypervisor may alter the ciphertext of the encrypted memory without triggering faults in the guest VM.

Office announcement: Please refer to the link for details – https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3010.html

Preface: The SmmMemLib[.]c library is part of the EDK II (EFI Development Kit II) project, which is an open-source implementation of the UEFI (Unified Extensible Firmware Interface) and PI (Platform Initialization) specifications. This library is specifically used for memory management within System Management Mode (SMM).

Background: The AMD Ryzen processors do not specifically use the SmmMemLib[.]c library. Instead, AMD provides a set of optimized libraries known as the AMD Optimizing CPU Libraries (AOCL), which are designed for high-performance computing and scientific applications. These libraries include various components like AOCL-BLAS, AOCL-LAPACK, AOCL-FFTW, and more. AMD Optimizing CPU Libraries (AOCL) are a set of numerical libraries optimized for AMD “Zen”-based processors, including EPYCTM , RyzenTM ThreadripperTM , and RyzenTM .

Vulnerability details: Analysis by AMD is that a ring 0 attacker could modify boot service tables to point to their own code, potentially resulting in arbitrary code execution. AMD has released mitigations to address this vulnerability. SMM callout vulnerability within the AmdPlatformRasSspSmm driver could allow a ring 0 attacker to modify boot services handlers, potentially resulting in arbitrary code execution.

Official announcement: Please refer to link for details –
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7028.html

Preface: In the concept of Industry 4.0, the Internet of Things (IoT) shall be used for the development of so-called smart products.

Background: The GPIO driver provides an interface for user-space applications and kernel modules to access and control the GPIO pins. It abstracts the hardware details, making it easier for developers to write code that interacts with the GPIOs without needing to know the specifics of the underlying hardware.

GPIO pins on hardware are often used in automation. They can be programmed to control various devices and systems, such as:

•       Home automation: Controlling lights, fans, and other appliances.

•       Industrial automation: Managing machinery, sensors, and actuators in manufacturing processes.

•       Robotics: Operating motors, servos, and sensors to control robot movements and actions.

•       IoT (Internet of Things): Connecting and controlling smart devices and sensors.

SCADA (Supervisory Control and Data Acquisition) systems can use GPIO pins. SCADA systems are designed to monitor and control industrial processes and infrastructure, and they often interface with various sensors and actuators. GPIO pins can be used in SCADA systems to:

•       Read digital inputs: Such as switches, sensors, and other binary devices.

•       Control digital outputs: Like relays, LEDs, and other on/off devices.

•       Interface with analog inputs/outputs: Through additional circuitry or modules that convert analog signals to digital and vice versa.

For example, GPIO pins can be used to monitor the status of a machine, control the operation of a valve, or read data from a temperature sensor.

Vulnerability details: Linux Kernel Vulnerability in Xilinx GPIO Locking Mechanism.

Official Announcement – please see the link for details – https://nvd.nist.gov/vuln/detail/CVE-2025-21684

Originally posted by AMD 3^rd Feb 2025

Preface: FIPS 186-5 removes DSA as an approved digital signature algorithm “due to a lack of use by industry and based on academic analyses that observed that implementations of DSA may be vulnerable to attacks if domain parameters are not properly generated.

February 3, 2023 – NIST published Federal Information Processing Standard (FIPS) 186-5, Digital Signature Standard (DSS), along with NIST Special Publication (SP) 800-186, Recommendations for Discrete Logarithm-based Cryptography: Elliptic Curve Domain Parameters.  

Background: The SEV feature relies on elliptic-curve cryptography for its secure key generation, which runs when a VM is launched. The VM initiates the elliptic-curve algorithm by providing points along its NIST (National Institute of Standards and Technology) curve and relaying the data based on the private key of the machine.

Vulnerability details: AMD has received a report from researchers at National Taiwan University detailing cache-based side-channel attacks against Secure Encrypted Virtualization (SEV).

Remedy: AMD recommends software developers employ existing best practices for prime and probe attacks (including constant-time algorithms) and avoid secret-dependent data accesses where appropriate.  AMD also recommends following previously published guidance regarding Spectre type attacks (refer to the link in the reference section below), as it believes the previous guidance remains applicable to mitigate these vulnerabilities.

Office announcement: Please refer to the link for details – https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3010.html

Preface: Sometimes, when a solution is misused or misconfigured, it can use this testing feature as a sword!

Background: AMD SEV (Secure Encrypted Virtualization) is a hardware-based security feature designed to enhance the confidentiality and integrity of virtual machines (VMs) running on AMD EPYC processors. Here are some key points about it:

1. Memory Encryption: SEV encrypts the memory of individual VMs using unique encryption keys. This ensures that neither the hypervisor nor other VMs can access the data of a specific VM.
2. Isolation: SEV creates an isolated execution environment, protecting VMs from potential attacks originating from the hypervisor or other VMs.
3. SEV-SNP (Secure Nested Paging): This is an extension of SEV that adds strong memory integrity protections. It helps prevent malicious hypervisor-based attacks like data replay and memory re-mapping, further enhancing the security of the VMs.
4. Recent Vulnerability: A recent vulnerability (CVE-2024-56161) was discovered in SEV-SNP, which could allow an attacker with local admin privileges to load malicious CPU microcode, compromising the confidentiality and integrity of VMs. AMD has released patches to mitigate this issue.

Vulnerability details: Improper signature verification in AMD CPU ROM microcode patch loader may allow an attacker with local administrator privilege to load malicious CPU microcode resulting in loss of confidentiality and integrity of a confidential guest running under AMD SEV-SNP.

Office announcement: Please refer to the link for details https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3019.html