Vulnerability Description
The install.c module in the Pengutronix RAUC update client prior to version 1.5 has a Time-of-Check Time-of-Use vulnerability, where signature verification on an update file takes place before the file is reopened for installation. An attacker who can modify the update file just before it is reopened can install arbitrary code on the device.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pengutronix | Rauc | < 1.5 |
Related Weaknesses (CWE)
References
- https://github.com/rauc/rauc/security/advisories/GHSA-cgf3-h62j-w9vvExploitThird Party Advisory
- https://www.vdoo.com/blog/cve-2020-25860-significant-vulnerability-discovered-raExploitThird Party Advisory
- https://github.com/rauc/rauc/security/advisories/GHSA-cgf3-h62j-w9vvExploitThird Party Advisory
- https://www.vdoo.com/blog/cve-2020-25860-significant-vulnerability-discovered-raExploitThird Party Advisory
FAQ
What is CVE-2020-25860?
CVE-2020-25860 is a vulnerability with a CVSS score of 6.6 (MEDIUM). The install.c module in the Pengutronix RAUC update client prior to version 1.5 has a Time-of-Check Time-of-Use vulnerability, where signature verification on an update file takes place before the fil...
How severe is CVE-2020-25860?
CVE-2020-25860 has been rated MEDIUM with a CVSS base score of 6.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-25860?
Check the references section above for vendor advisories and patch information. Affected products include: Pengutronix Rauc.