Slashdot Mirror
Firmware Vulnerability In Popular Wi-Fi Chipset Affects Laptops, Smartphones, Routers, Gaming Devices (zdnet.com)
Embedi security researcher Denis Selianin has discovered a vulnerability affecting the firmware of a popular Wi-Fi chipset deployed in a wide range of devices, such as laptops, smartphones, gaming rigs, routers, and Internet of Things (IoT) devices. According to Selianin, the vulnerability impacts ThreadX, a real-time operating system that is used as firmware for billions of devices. ZDNet reports: In a report published today, Selianin described how someone could exploit the ThreadX firmware installed on a Marvell Avastar 88W8897 wireless chipset to execute malicious code without any user interaction. The researcher chose this WiFi SoC (system-on-a-chip) because this is one of the most popular WiFi chipsets on the market, being deployed with devices such as Sony PlayStation 4, Xbox One, Microsoft Surface laptops, Samsung Chromebooks, Samsung Galaxy J1 smartphones, and Valve SteamLink cast devices, just to name a few.
"I've managed to identify ~4 total memory corruption issues in some parts of the firmware," said Selianin. "One of the discovered vulnerabilities was a special case of ThreadX block pool overflow. This vulnerability can be triggered without user interaction during the scanning for available networks." The researcher says the firmware function to scan for new WiFi networks launches automatically every five minutes, making exploitation trivial. All an attacker has to do is send malformed WiFi packets to any device with a Marvell Avastar WiFi chipset and wait until the function launches, to execute malicious code and take over the device. Selianin says he also "identified two methods of exploiting this technique, one that is specific to Marvell's own implementation of the ThreadX firmware, and one that is generic and can be applied to any ThreadX-based firmware, which, according to the ThreatX homepage, could impact as much as 6.2 billion devices," the report says. Patches are reportedly being worked on.
"I've managed to identify ~4 total memory corruption issues in some parts of the firmware," said Selianin. "One of the discovered vulnerabilities was a special case of ThreadX block pool overflow. This vulnerability can be triggered without user interaction during the scanning for available networks." The researcher says the firmware function to scan for new WiFi networks launches automatically every five minutes, making exploitation trivial. All an attacker has to do is send malformed WiFi packets to any device with a Marvell Avastar WiFi chipset and wait until the function launches, to execute malicious code and take over the device. Selianin says he also "identified two methods of exploiting this technique, one that is specific to Marvell's own implementation of the ThreadX firmware, and one that is generic and can be applied to any ThreadX-based firmware, which, according to the ThreatX homepage, could impact as much as 6.2 billion devices," the report says. Patches are reportedly being worked on.
If I'm reading this correctly, the blame for these exploits is being squarely placed on this ThreadX RTOS thing.
Well, you signed up for proprietary operating system, this is what you get when you do that. This is the downside of using code you can't look at and assess yourself, or have it assessed by professionals. You just have to take their word for it that it's security, stable and good. Obviously, this particular proprietary operating system is not secure.
Must say, I'm mildly surprised. Checking out ThreadX RTOS website, they seem to have all sorts of fancy certifications which I have no idea what mean, but surely they mean something? Just not secure and exploit free operating system?
> they seem to have all sorts of fancy certifications which I have no idea what mean, but surely they mean something?
Mostly they mean that you can depend on it running perfectly reliably, so you can trust your $300 million space probe to ThreadX.
You may have also noticed ThreadX takes 2KB of memory.
When your system requirements are the kind of thing ThreadX is designed for, you don't have a ton of options. Maybe three will be worth considering, and likely one will be the best fit, just on technical considerations.