Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Used firmware susceptible to ThreadX vulnerabilities? #344

Closed
jow- opened this Issue Jan 19, 2019 · 13 comments

Comments

Projects
None yet
@jow-
Copy link

commented Jan 19, 2019

An RCE vulnerability in various Marvell wireless chipset/firmware combinations has been recently reported, find more details at:
https://embedi.org/blog/remotely-compromise-devices-by-using-bugs-in-marvell-avastar-wi-fi-from-zero-knowledge-to-zero-click-rce/

Is the firmware bundled with the mwlwifi driver affected? The linked report specifically mentions 88W8897 chips and this repo contains a bin/firmware/88W8897.bin.

@anazz20

This comment has been minimized.

Copy link

commented Jan 19, 2019

I read an earlier article, and they mentioned the 88W897A, not sure if that is a different chip or not, but it did say patches are in the works. I mean this chip is in a lot of IoT devices as well as routers.

@tapper82

This comment has been minimized.

Copy link

commented Jan 19, 2019

I to would like more info about this pleas.

@jeolives

This comment has been minimized.

Copy link

commented Jan 19, 2019

I'd rather not jump to conclusions, but my opinion is that the lack of commits in this repo and https://github.com/mrvltest/mwlwifi-8997 may mean that they're devoting all their resources on actually patching it out. The existence (not the details) of the vulnerability was initially publicly disclosed on November 21-20 Zero Nights 2018 in St. Petersburg (https://2018.zeronights.ru/wp-content/uploads/materials/19-Researching-Marvell-Avastar-Wi-Fi.pdf). Regardless, it'd still be nice to actually hear from @yuhhaurlin to know when the patched binaries are available, if applicable to the WRT AC series or mwlwifi.

@kubrickfr

This comment has been minimized.

Copy link

commented Jan 20, 2019

Yes or they've given up on this open source project...

@jeolives

This comment has been minimized.

Copy link

commented Jan 21, 2019

Looks like the vulnerability has been assigned as CVE-2019-6496. However, details are still obfuscated and sparse.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6496
https://vuldb.com/?id.129973
https://nvd.nist.gov/vuln/detail/CVE-2019-6496

@howl

This comment has been minimized.

Copy link

commented Jan 21, 2019

I gave up with the idea that the new linksys wrt series wifi interfaces were just going to have good open source support just the first day I tried them. Retained just one of them just in case the situation drastically change, but, still the same.

This driver have a lot of stability and other type of problems, and the main developer seems to be blind, as you can read that he states that the driver is very nice in different github issues. I think is going to be a miracle If you get a confirmation here from Marvell for the RCE vulnerability.

@BrainSlayer

This comment has been minimized.

Copy link

commented Jan 22, 2019

@howl the best way to find it out, is trying it out. the security issue is well described. i wouldnt wonder if the issue persists in all chipsets since the codebase might be the same, even if there are differences in the chipsets

@Kherby

This comment has been minimized.

Copy link

commented Jan 29, 2019

-rep for Marvell, Linksys/Belkin and the main dev of this project...

@jeolives

This comment has been minimized.

Copy link

commented Feb 8, 2019

Marvell's vendor statement is located here.

Additional information and an up to date summary here: https://kb.cert.org/vuls/id/730261/

Kind of disappointed that we had to manually track the CVE through multiple websites and user forums instead of having been informed by the main developer of this project.

@yuhhaurlin

This comment has been minimized.

Copy link
Collaborator

commented Feb 8, 2019

Firmware of 88W8897 and 88W8997 are different code base. There should be no these issues.

@yuhhaurlin yuhhaurlin closed this Feb 8, 2019

@boktai1000

This comment has been minimized.

Copy link

commented Feb 8, 2019

@yuhhaurlin I was wondering if you could elaborate a bit more on this response of that there "should be no issues". Please see the following information:

https://kb.cert.org/vuls/id/730261/ (Mentions 88W8787, 88W8797, 88W8801, 88W8897, and 88W8997)

88W8897 and 88W8997 both have .bin files provided by Marvell that are in this code repository:

Looking at the latest commits for each, it appears these are provided by Marvell themselves?

Signed-off-by: David Lin dlin@marvell.com

I inquired to Will Dormann on Twitter as he is mentioned as document writer at CERT about this

So Marvell only mentions 88W8897 but we do know that a firmware binary has been provided by Marvell to this repository. In addition, CERT mentions 88W8997 though, as well as some other chipsets which are not present in this repository. But Will has also mentioned that it's entirely possible (but not necessarily confirmed) that it could potentially affect other chipsets in the Marvell Avastar Chipset series, meaning 'potentially' having on impact on the other chipsets provided here (88W8864.bin and 88W8964.bin, in addition to 88W8897 and 88W8997 which are confirmed affected).

So going back to the firmware binaries in this repository, would it not make sense to get a line of communication going with Marvell to inquire regarding a new updated firmware binary that could potentially resolve this issue? Has this line of communication already been done behind the scenes?

I don't think Marvell are going to willingly send out updated firmwares, I also found this thread that seems to indicate that it's more on the maintainers to reach out and Marvell themselves can't know the level of interested off hand or be responsible for sending out updated firmwares:

Yes we have some updates, and continue working on it. But we felt that
community does not seem to be very interested in this driver, so we have not
been updating the wireless org. Let us know if you are supportive and waiting
for it.

My understanding was that we'd very much like the driver to be sent upstream.
From my perspective, it looked like you'd lost interest, not us.

Lastly, I compared both the marvell-wireless/mwlwifi and kaloz/mwlwifi repositories under /bin/firmware to see what versions are present in each

Differences as follows:

88W8864.bin

  • marvell-wireless - Upgrade 88W8864 firmware to 7.3.0.21 a year ago
  • kaloz - Upgrade 88W8864 firmware to 7.2.9.26. 3 years ago

88W8997.bin

  • marvell-wireless - Upgrade 88W8997 firmware to 8.4.0.46. 6 months ago
  • kaloz - Upgrade 88W8997 firmware to 8.4.4.6. 2 months ago

it appears that each repository has a different more up to date firmware binary.

Anyways, @yuhhaurlin to summarize, have you and if not could you or the repository owner get in contact with Marvell and determine if these firmware binary file is indeed vulnerable and possibly get an updated firmware binary for each of the chipsets maintained by this project, as they may include a fix to the vulnerability in question?

I'm gathering this information from the outside in, so please let me know if I'm misunderstood anything here regarding the project. But I know for myself as well as others, we are looking for a more detailed response from the repository owner on why exactly this isn't vulnerable and "There should be no these issues" isn't a good enough answer, why are there no issues/etc.

@dengqf6

This comment has been minimized.

Copy link
Contributor

commented Feb 13, 2019

Shunned
Glad I'm using 88W8864..

@yuhhaurlin

This comment has been minimized.

Copy link
Collaborator

commented Feb 13, 2019

  1. Binary file of 88W8897 and 88W8997 for AP mode are not used by open source.
  2. The code base is not the same as client mode.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.