CVE-2019-11690

Vulnerability

gen_rand_uuid in lib/uuid.c of Das U-Boot versions v2014.04 through v2019.04 fails to call srand before using rand(). This causes the pseudo-random number generator to produce deterministic output whenever CONFIG_RANDOM_UUID is enabled, which is used to generate UUIDs for the GUID Partition Table (GPT) of a boot device.

Exploitation

An attacker does not require authentication or network access; they only need to know the boot timing or any other source that would allow them to reproduce the initial random state. Because no seed is set, each boot sequence yields the same sequence of random numbers, enabling prediction of the UUID values that will be assigned to GPT entries.

Impact

Successful exploitation allows the attacker to determine UUID values before they are used, potentially allowing them to craft a malicious GPT that matches expected identifiers. This could lead to boot‑process interference or data integrity attacks, as the trusted UUIDs can be predicted and manipulated.

Mitigation

No official patch had been released at the time of publication. The vulnerability can be mitigated by disabling CONFIG_RANDOM_UUID in the build configuration if the platform does not require randomized UUIDs. Users should monitor the U‑Boot project for a fix that adds an srand call (e.g., using hardware entropy) and update to a patched version when available.