F-Secure’s hardware security team found two vulnerabilities in Xilinx Zynq UltraScale+ SoCs, one of which could not be patched by updating security patches. The affected products include ZynqUltraScale + series system-on-chip (SoC), multi-processor system-on-chip (SoC) and radiofrequency Soc (radio frequency system-on-chip). Experts say that hackers must physically access the target device to exploit these vulnerabilities.
According to F-Secure, these two security vulnerabilities are located in the encryption-specific secure boot mode of the affected component. The researchers pointed out that the encryption-specific secure boot mode of the XilinxZynq UltraScale+ family does not encrypt the boot image metadata or cause the data to be maliciously modified. An attacker can execute arbitrary code by tampering with the boot header to bypass the security measures provided by the boot mode. Both vulnerabilities have similar characteristics, but one needs to be patched by the vendor directly adjusting its chip, while the other can be patched.
Currently, Xilinx does not issue security patches for any vulnerabilities. Because an attacker can use the first vulnerability to bypass all security patches, even patching the second vulnerability will not help. However, the company revised its technical manual to recommend that affected users switch to the Hardware Root of Trust secure boot mode to avoid these vulnerabilities.