Barebox FIT Signature Verification Bypass Vulnerability

A vulnerability exists in barebox versions 2016.03.0 prior to 2025.09.3 and 2025.10.0 prior to 2026.03.1, allowing an attacker to manipulate the FIT (Flat Image Tree) signature verification process. When creating a FIT, the 'hashed-nodes' property is used to indicate which nodes were hashed and need verification by the bootloader. However, this property is not included in the hash, leaving it open to modification by an attacker. This manipulation can trick the bootloader into booting unverified images. The vulnerability requires physical or local access to read/write the FIT on the storage medium, potentially compromising the kernel and, depending on the bootloader and system configuration, other critical components such as a hypervisor or trusted services.

Impact

Exploitation of this vulnerability can lead to unauthorized images being booted, bypassing verification processes. In barebox, this could compromise the kernel and, on 32-bit ARM systems using certain OP-TEE configurations, all privilege levels of the CPU. For U-Boot, the vulnerability can also be exploited to compromise higher privilege levels, depending on the system configuration.

Remediation

Users can update to barebox versions 2025.09.3 or 2026.03.1 to address this vulnerability.