VDB
CVE-2020-25860
CVE-2020-25860
PUBLISHED
The install.c module in the Pengutronix RAUC update client prior to version 1.5 has a Time-of-Check Time-of-Use vulnerability, where signature verification on an update file takes place before the file is reopened for installation. An attacker who can modify the update file just before it is reopened can install arbitrary code on the device.
EPSS 0.49% · 66.1th percentile
Risk Scores
EPSS Score
0.49%
66.1th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:22.04:LTS | rauc | 0, 1.5.1-1build1, 1.6-1 |
| Ubuntu:20.04:LTS | rauc | 0, 1.1-2, 1.2-1 |
Exploit Intelligence
- integration examples for the CVE-2020-25860 fix (github-poc)
- integration examples for the CVE-2020-25860 fix (github-poc)
- integration examples for the CVE-2020-25860 fix (github-poc)
- integration examples for the CVE-2020-25860 fix (github-poc)
- integration examples for the CVE-2020-25860 fix (github-poc)
- https://github.com/rauc/rauc/security/advisories/GHSA-cgf3-h62j-w9vv (nist-nvd)
- https://www.vdoo.com/blog/cve-2020-25860-significant-vulnerability-discovered-rauc-embedded-firmware-update-framework (nist-nvd)
Timeline
- Dec 21, 2020 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 28, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
- Nov 6, 2022 EPSS Score
- Jan 8, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2020-25860 third-party-advisory
- https://github.com/rauc/rauc/security/advisories/GHSA-cgf3-h62j-w9vv third-party-advisory
- https://www.vdoo.com/blog/cve-2020-25860-significant-vulnerability-discovered-rauc-embedded-firmware-update-framework third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2020-25860 third-party-advisory