Over 6 billion WiFi devices in danger due to a bug
A Marvell Avastar chipset firmware bug, widely used in many devices, allows remote code execution without the user being aware of anything.
Denis Selianin, the security researcher for the company Embedi, has identified a dangerous vulnerability in a WiFi chipset widely used in many electronic devices such as laptops, smartphones, gaming devices, routers and IoT devices.]
It is a vulnerability inherent to ThreadX, real-time operating system that in the Marvell Avastar 88W8897 chipset is used as firmware. The vulnerability is quite serious for various reasons: the high diffusion of the chipset, the ease in exploitation and the possibility, once exploited, to execute arbitrary code without the user being aware of anything in all of this.
The Marvell Avastar 88W8897 chipset is found in devices like Playstation 4, Xbox One, Surface, Chromebook, Galaxy J11 and Valve SteamLink devices, to name a few.
” I have managed to identify 4 memory corruption problems in some parts of the firmware, one of the vulnerabilities discovered concerns a particular case of Thread X’s block pool overflow, which can be triggered without any interaction with the user, when scanning networks WiFi available, ” writes the researcher in his speech on the Embedi blog.
The function of the firmware to check the availability of new WiFi networks is launched automatically every five minutes, making the exploitation of the vulnerability a thing of little consequence: everything that an attacker must perform is to send WiFi packages appropriately built to a device with Marvell Avastar chipset and wait until the scan function is launched, to run code and take control of the device.
” This is the reason why this bug is so effective, and offers an opportunity to compromise devices literally without any interaction, at any stage of the wireless connection and even if a device is not connected to any network ” the researcher points out.
Selianin claims to have identified two methods to exploit this technique: a specification for Marvell’s proprietary ThreadX implementations, and a generic one that can be applied to any ThreadX-based firmware. In this second case, the impact could concern 6.2 billion devices.
The technical details of the vulnerability are present in Selianin’s post. Currently, for obvious reasons, the proof of concept has not yet been released, and the companies involved are working to develop a corrective patch.