One other Vulnerability within the LPC55S69 ROM
Here at Oxide, we proceed to work on constructing servers as they may be able to hang to be. Final year, we stumbled on an undocumented hardware block within the LPC55S69 (our chosen section for our product’s Root of Belief implementation) that would be normal to violate security boundaries. This field highlighted the significance of transparency as an Oxide worth which is why we are bringing one more now not too lengthy ago stumbled on vulnerability to gentle this day. While persevering with to produce our product, we stumbled on a buffer overflow within the ROM of the LPC55S69. This field exists within the In-System Programming (ISP) code for the signed replace mechanism which lives in ROM. This vulnerability permits an attacker to reach non-persistent code execution with a in moderation crafted replace in spite of whether the replace is signed. This may per chance even be normal to bypass restrictions when the chip is fully locked down and likewise extract the tool’s DICE Peculiar Blueprint Secret (UDS). Because this field exists in ROM there is no known workaround rather than disabling all hardware and gear paths to enter ISP mode. CVE-2022-22819 has been assigned for this vulnerability. Discovering two separate complications within the same chip entirely strengthens Oxide’s assertion that conserving code proprietary doesn’t toughen product security and hardware producers reminiscent of NXP can hang to peaceable invent their ROM source available for buyer overview.
Earlier than discussing the exploit, or now not it is worth fervent within the upper diploma enlighten: how attain you replace your tool on a microcontroller once it leaves the factory? This looks to be a now not easy enlighten the save a bug would perchance well quit up in a non-purposeful tool. To invent this enlighten more straightforward, chip makers esteem NXP will present some formulation to save the chip in a mode that enables for precise modification of flash honest of keep in firmware. NXP affords this thru its In System Programming (ISP) mode.
ISP mode permits a bunch (assuredly a frequent reason computer) to be taught and write various formulation of the chip including flash by sending instructions to the target over a range of protocols. The LPC55S69 supports receiving ISP instructions over UART, SPI, I2C, and, on variants that consist of the important peripheral, CAN. The LPC55S69 would perchance well even be configured to require code be signed with a specific key. On this configuration, most instructions are restricted and changes to the flash can entirely come thru the rep-sb-file direct.
The rep-sb-file ISP direct makes utilize of the SB2 layout. This layout involves a header followed by a sequence of instructions which is ready to modify the flash or commence code execution. Confidentiality and integrity of an replace are supplied by encrypting the instructions with a key programmed at manufacturing time, inserting a precise digest of the instructions within the replace header, and finally signing the header. The C illustration of the principle section of the header looks esteem the following:
struct sb2_header_t
{
uint32_t nonce[4];
uint32_t reserved;
uint8_t m_signature[4];
uint8_t m_majorVersion;
uint8_t m_minorVersion;
uint16_t m_flags;
uint32_t m_imageBlocks;
uint32_t m_firstBootTagBlock;
section_id_t m_firstBootableSectionID;
uint32_t m_offsetToCertificateBlockInBytes;
uint16_t m_headerBlocks;
uint16_t m_keyBlobBlock;
uint16_t m_keyBlobBlockCount;
uint16_t m_maxSectionMacCount;
uint8_t m_signature2[4];
uint64_t m_timestamp;
version_t m_productVersion;
version_t m_componentVersion;
uint32_t m_buildNumber;
uint8_t m_padding1[4];
};
The SB2 replace is parsed sequentially in 16-byte blocks. The header identifies some formulation of the replace by block quantity (e.g. block 0 is at byte offset 0, block 1 at byte offset 16 and loads of others). The bug comes from uncouth bounds checking on the block numbers. The SB2 parser in ROM copies the header to a world buffer before checking the signature. In preference to forestalling when the size of the header has been copied (a complete of 8 blocks or 128 bytes), the parsing code copies up to m_keyBlobBlock preference of blocks. In a accurately formatted header, m_keyBlobBlock will consult with the block quantity factual after the header, however the code doesn’t examine the limits on this. If m_keyBlobBlock is determined to a important better quantity the code will proceed copying bytes past the quit of the realm buffer, a classic buffer overflow.
The fleshy extent of this bug depends on system configuration with code execution that you may per chance well order about in many circumstances. A easy model of this may per chance occasionally allow for enabling SWD gain entry to (in total disabled at some level of ISP mode) thru leaping to existing code in ROM. A extra refined attack has been demonstrated as a proof-of-belief to provide arbitrary code execution. While code execution thru this vulnerability doesn’t without extend present persistence, attack code executes with the privileges of ISP mode and can thus modify flash contents. If this methodology is configured for precise boot and sealed thru the Buyer Manufacturing Programming Enviornment (CMPA), changes of code saved in flash will be detected on subsequent boots. Additionally, ISP mode executes whereas the DICE UDS (Peculiar Blueprint Secret) is peaceable accessible taking into consideration off-tool derivation of keys fixed with the secret.
Because that is an field within the ROM, the best mitigation with out changing the chip is to prevent gain entry to to the inclined SB2 parser. Disabling ISP mode and never the usage of flash restoration mode will take care of a long way off from exposure, even supposing this does mean the chip person must come up with alternate designs for those utilize circumstances.
The NXP ROM also affords an API for making utilize of an SB2 replace without extend from person code. Using this API in any manufacture will peaceable present a likely path to direct the bug. Checking the signature on an replace the usage of one more ROM API before calling the replace API would provide verification than an replace is from a relied on source. This is now not the same thing as verifying that the replace files is gorgeous or now not malicious. Signature verification does present a likely mechanism for some diploma of self belief if the usage of the SB2 replace mechanism cannot be shunned.
As thrilling because it became once to safe this field, it became once also aesthetic given NXP’s outdated assertion that the ROM had been reviewed for vulnerabilities. While no overview is assured to safe every field, this field over but again highlights that a single document is no change for transparency. Oxide continues to declare that commence firmware is important for constructing a extra precise system. Transparency in what we are constructing and how we are constructing this may per chance occasionally allow our clients to invent a fully informed preference about what they are procuring for and how their system will work. We, over but again, invite all americans to enroll in us in making commence firmware the industry baseline.
2021-12-22
Oxide discovers vulnerability whereas making an are attempting to comprehend SB2 replace assignment2021-12-23
Oxide discloses vulnerability to NXP2022-01-03
NXP PSIRT acknowledges the document2022-01-04
NXP PSIRT acknowledges the vulnerability2022-02-28
NXP Discloses complications in a NXP Security Bulletin (NDA required) and confirms that a brand unique ROM revision, and thus unique section revisions, are required to gorgeous the vulnerability in affected product traces.2022-03-23
Oxide discloses as CVE-2022-22819
