Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-5478

A weakness was found in Encrypt Only boot mode in Zynq UltraScale+ devices. This could lead to an adversary being able to modify the control fields of the boot image leading to an incorrect secure boot behavior.

Security Impact Summary

This vulnerability carries a MEDIUM severity rating with a CVSS v3.1 score of 5.5, requiring local system access to exploit with relatively low complexity without requiring user interaction requiring only low-level privileges . The vulnerability impacts integrity (unauthorized modifications), for affected systems. Impacting 82 products from amd, from amd, from amd and 79 others, organizations running these solutions should prioritize assessment and patching.

Historical Context

First disclosed in 2019, this vulnerability was reported during a period defined by widespread IoT adoption challenges, mobile security concerns, and the emergence of advanced persistent threat (APT) techniques. Contemporary mitigation strategies focused on secure development practices and third-party component vetting.

Published

2019-09-03T20:15:11.530

Last Modified

2024-11-27T16:10:16.277

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 5.5 (MEDIUM)

CVSSv2 Vector

AV:L/AC:L/Au:N/C:N/I:P/A:N

Access Vector: LOCAL
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

3.9

Impact Score

2.9

Weaknesses

Type: Secondary
CWE-657
Type: Primary
CWE-345

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	amd	zu11eg_firmware	-	Yes
Hardware	amd	zu11eg	-	No
Operating System	amd	zu15eg_firmware	-	Yes
Hardware	amd	zu15eg	-	No
Operating System	amd	zu17eg_firmware	-	Yes
Hardware	amd	zu17eg	-	No
Operating System	amd	zu19eg_firmware	-	Yes
Hardware	amd	zu19eg	-	No
Operating System	amd	zu1cg_firmware	-	Yes
Hardware	amd	zu1cg	-	No
Operating System	amd	zu1eg_firmware	-	Yes
Hardware	amd	zu1eg	-	No
Operating System	amd	zu21dr_firmware	-	Yes
Hardware	amd	zu21dr	-	No
Operating System	amd	zu25dr_firmware	-	Yes
Hardware	amd	zu25dr	-	No
Operating System	amd	zu27dr_firmware	-	Yes
Hardware	amd	zu27dr	-	No
Operating System	amd	zu28dr_firmware	-	Yes
Hardware	amd	zu28dr	-	No
Operating System	amd	zu29dr_firmware	-	Yes
Hardware	amd	zu29dr	-	No
Operating System	amd	zu2cg_firmware	-	Yes
Hardware	amd	zu2cg	-	No
Operating System	amd	zu2eg_firmware	-	Yes
Hardware	amd	zu2eg	-	No
Operating System	amd	zu39dr_firmware	-	Yes
Hardware	amd	zu39dr	-	No
Operating System	amd	zu3cg_firmware	-	Yes
Hardware	amd	zu3cg	-	No
Operating System	amd	zu3eg_firmware	-	Yes
Hardware	amd	zu3eg	-	No
Operating System	amd	zu3tcg_firmware	-	Yes
Hardware	amd	zu3tcg	-	No
Operating System	amd	zu3teg_firmware	-	Yes
Hardware	amd	zu3teg	-	No
Operating System	amd	zu42dr_firmware	-	Yes
Hardware	amd	zu42dr	-	No
Operating System	amd	zu43dr_firmware	-	Yes
Hardware	amd	zu43dr	-	No
Operating System	amd	zu46dr_firmware	-	Yes
Hardware	amd	zu46dr	-	No
Operating System	amd	zu47dr_firmware	-	Yes
Hardware	amd	zu47dr	-	No
Operating System	amd	zu48dr_firmware	-	Yes
Hardware	amd	zu48dr	-	No
Operating System	amd	zu49dr_firmware	-	Yes
Hardware	amd	zu49dr	-	No
Operating System	amd	zu4cg_firmware	-	Yes
Hardware	amd	zu4cg	-	No
Operating System	amd	zu4eg_firmware	-	Yes
Hardware	amd	zu4eg	-	No
Operating System	amd	zu4ev_firmware	-	Yes
Hardware	amd	zu4ev	-	No
Operating System	amd	zu5cg_firmware	-	Yes
Hardware	amd	zu5cg	-	No
Operating System	amd	zu5eg_firmware	-	Yes
Hardware	amd	zu5eg	-	No
Operating System	amd	zu5ev_firmware	-	Yes
Hardware	amd	zu5ev	-	No
Operating System	amd	zu63dr_firmware	-	Yes
Hardware	amd	zu63dr	-	No
Operating System	amd	zu64dr_firmware	-	Yes
Hardware	amd	zu64dr	-	No
Operating System	amd	zu65dr_firmware	-	Yes
Hardware	amd	zu65dr	-	No
Operating System	amd	zu67dr_firmware	-	Yes
Hardware	amd	zu67dr	-	No
Operating System	amd	zu6cg_firmware	-	Yes
Hardware	amd	zu6cg	-	No
Operating System	amd	zu6eg_firmware	-	Yes
Hardware	amd	zu6eg	-	No
Operating System	amd	zu7cg_firmware	-	Yes
Hardware	amd	zu7cg	-	No
Operating System	amd	zu7eg_firmware	-	Yes
Hardware	amd	zu7eg	-	No
Operating System	amd	zu7ev_firmware	-	Yes
Hardware	amd	zu7ev	-	No
Operating System	amd	zu9cg_firmware	-	Yes
Hardware	amd	zu9cg	-	No
Operating System	amd	zu9eg_firmware	-	Yes
Hardware	amd	zu9eg	-	No

References

https://github.com/inversepath/advisories/blob/master/Security_Advisory-Ref_FSC-HWSEC-VR2019-0001-Xilinx_ZU+-Encrypt_Only_Secure_Boot_bypass.txt Third Party Advisory ([email protected])
https://www.xilinx.com/support/answers/72588.html Vendor Advisory ([email protected])
https://github.com/inversepath/advisories/blob/master/Security_Advisory-Ref_FSC-HWSEC-VR2019-0001-Xilinx_ZU+-Encrypt_Only_Secure_Boot_bypass.txt Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.xilinx.com/support/answers/72588.html Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)

How SecUtils Interprets This CVE

SecUtils normalizes and enriches National Vulnerability Database (NVD) records by standardizing vendor and product identifiers, aggregating vulnerability metadata from both NVD and MITRE sources, and providing structured context for security teams. For amd's affected products, we extract Common Platform Enumeration (CPE) data, Common Weakness Enumeration (CWE) classifications, CVSS severity metrics, and reference data to enable rapid vulnerability prioritization and asset correlation. This record contains no exploit code, proof-of-concept instructions, or attack methodologies—only defensive intelligence necessary for patch management, risk assessment, and security operations.