U-Boot vulnerability resulting in persistent Code Execution
The vulnerability affects the U-Boot component — the bootloader responsible for system initialization on Google Chromecast devices. Based on the classified CWE-20, it indicates insufficient validation of input data in this component. Exploiting the vulnerability leads to persistent code execution, meaning that malicious code can survive device restarts. A network attack vector (AV:N) without authentication requirements (PR:N, UI:N) suggests the possibility of remote exploitation of the vulnerability.
An attacker can gain full control over the device — ensuring the highest level of confidentiality, integrity, and availability of the system, and the executed code can remain permanently on the device even after a restart.
Patches available from the manufacturer should be applied according to references — the Chromecast security bulletin dated 2023-12-01 is available at: https://source.android.com/docs/security/bulletin/chromecast/2023-12-01. Google Chromecast devices typically receive updates automatically, however administrators should verify that devices in the organizational environment have the latest firmware version installed.
Google Chromecast and Google Chromecast firmware software — specific versions indicated in the manufacturer's security bulletin from December 2023 (2023-12-01).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HGoogle Chromecast
HWGooglewszystkie wersjeGoogle Chromecast Firmware
OSGoogle< 2023-10-01
Related vulnerabilities
Krytyczna podatność u-boot w Google Chromecast — dostęp do powłoki przez UART
Brak sprawdzania uprawnień w aplikacji KeyChainActivity na urządzeniach Google Chromecast
Privilege escalation poprzez podatność w U-Boot shell na Google Chromecast
RCE w Google Chromecast — trwałe wykonanie kodu przez błąd BCB
The API service on Google Home and Chromecast devices before mid-July 2018 does not prevent DNS rebinding atta...