Skip to content

Possible to retrieve uncrypted firmware image

Moderate
ceolin published GHSA-wrj2-9vj9-rrcp May 31, 2022

Package

zephyr (west)

Affected versions

< v3.0

Patched versions

None

Description

Impact

There is no check to see if slot 0 is being uploaded from the device to the host.
When using encrypted images this means the unencrypted firmware can be retrieved easily.

There should be a check around this line:
https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/usb/class/dfu/usb_dfu.c#L478. Or the developer should be
warned/forbidden to use USB DFU when encrypted images are used.

The commands below can be used to reproduce the issue. I tested on Zephyr revision 4b6eb55. Note that image encryption isn't actually enabled to keep the demo simple. Since slot 0 is never encrypted this will yield the same effect as with an encrypted image.

west build -p -b nrf52840dk_nrf52840 bootloader/mcuboot/boot/zephyr/ -d build-mcuboot
west build -p -b nrf52840dk_nrf52840 zephyr/samples/subsys/usb/dfu -d build-dfu -- -DCONFIG_BOOTLOADER_MCUBOOT=y -DCONFIG_MCUBOOT_SIGNATURE_KEY_FILE=\"bootloader/mcuboot/root-rsa-2048.pem\"
west flash -d build-mcuboot
west flash -d build-dfu

dfu-util --alt=0 -U slot0.bin # uploads slot 0 to host

Patches

This has been fixed in:

  • main (v3.0 development cycle) #42424

For more information

If you have any questions or comments about this advisory:

embargo: 2022-05-09

Severity

Moderate
6.5
/ 10

CVSS base metrics

Attack vector
Adjacent
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE ID

CVE-2022-0553

Weaknesses

Credits