RAUC Integer Overflow Vulnerability in Plain Bundles Exceeding 2 GiB Allowing Payload Modification

An integer overflow vulnerability has been identified in RAUC, a tool that manages the update process on embedded Linux systems. This issue affects RAUC versions prior to 1.15.2. The vulnerability arises in bundles using the 'plain' format that exceed a payload size of 2 GiB. The overflow leads to a signature that only covers the initial bytes of the payload. An attacker can exploit this by modifying the uncovered portion of the payload, potentially causing harm. However, this vulnerability does not affect bundles using the 'verity' or 'crypt' formats, which are supported in RAUC versions 1.5 and 1.7, respectively.

Impact

Exploitation of this vulnerability allows for improper modification of the payload in RAUC bundles, as the signature does not adequately cover the entire payload, leaving a portion vulnerable to unauthorized changes.

Reproduction

To reproduce this vulnerability, create a RAUC bundle in the 'plain' format that exceeds 2 GiB in payload size. Once the bundle is created, sign it with a legitimate signature. Afterward, the vulnerability can be demonstrated by modifying the part of the payload that is not covered by the signature. This can be done by extracting the bundle, making changes to the uncovered payload, and then reassembling the bundle.

Remediation

Users are advised to update RAUC to version 1.15.2, which addresses this vulnerability by rejecting 'plain' format bundles larger than 2 GiB during the signing and verification process. Additionally, migrating to the 'verity' bundle format is recommended.