Jump to content

[Security] BroadPwn


Recommended Posts

On Black Hat 2017 security researcher Nitay Artenstein showed a vulnerability affecting millions of smartphones he called BroadPwn. The bug/vulnerability sits inside the firmware blobs but I didn't pay that much attention since I thought it would be related to recent smartphones and at least the one I use still receives full security fix support now in the 5th year.

 

But when I heard that latest Raspbian release contains a fix for BroadPwn (RPi 3 and Zero W use BCM43438 to provide wireless capabilities) I asked myself immediately a question: http://www.cnx-software.com/2017/08/17/raspbian-for-raspberry-pi-boards-gets-upgraded-to-debian-stretch/#comment-545270

 

I booted my RPi 3, added the stretch repo, did an apt-update and checked (after updating the kernel):

root@raspberrypi:~# apt list --upgradable
Listing... Done
device-tree-compiler/testing 1.4.4-1 armhf [upgradable from: 1.4.1-1+rpi1]
dnsmasq/testing 2.76-5+rpi2 all [upgradable from: 2.76-5+rpi1]
dnsmasq-base/testing 2.76-5+rpi2 armhf [upgradable from: 2.76-5+rpi1]
libcairo2/testing 1.14.8-1+rpi1 armhf [upgradable from: 1.14.0-2.1+deb8u2+rpi1]
libpam-modules/testing 1.1.8-3.6+rpi1 armhf [upgradable from: 1.1.8-3.1+deb8u2+rpi3]
libpam-modules-bin/testing 1.1.8-3.6+rpi1 armhf [upgradable from: 1.1.8-3.1+deb8u2+rpi3]
libpam-runtime/testing 1.1.8-3.6+rpi1 all [upgradable from: 1.1.8-3.1+deb8u2+rpi3]
libpam0g/testing 1.1.8-3.6+rpi1 armhf [upgradable from: 1.1.8-3.1+deb8u2+rpi3]
libraspberrypi-bin/testing 1.20170811-1 armhf [upgradable from: 1.20170703-1]
libraspberrypi0/testing 1.20170811-1 armhf [upgradable from: 1.20170703-1]
openmediavault/erasmus 3.0.87 all [upgradable from: 3.0.85]
raspberrypi-bootloader/testing 1.20170811-1 armhf [upgradable from: 1.20170703-1]

If I understand correctly a BroadPwn fix has to be applied to firmware blobs. Since the above is an Armbian userland combined with RPi kernel I checked Raspbian's firmware package: https://pastebin.com/bMWqwxcy

 

So if the most common Wi-Fi chips on supported boards are affected (since AP6212 is just a BCM43438 A0 while AP6212A is an A1 BCM43438) we might want to provide an updated armbian-firmware package asapissimo, true?

Link to comment
Share on other sites

1 hour ago, tkaiser said:

Since the above is an Armbian userland combined with RPi kernel I checked Raspbian's firmware package: https://pastebin.com/bMWqwxcy

 

Hmm... I dont'r really understand what's happening. On my Jessie OMV image above I installed 'firmware-brcm80211' package (https://archive.raspberrypi.org/debian/ stretch/main firmware-brcm80211 all 1:20161130-3+rpi2). Now booted latest Raspbian Stretch minimal and checked again. It's there also pool/main/f/firmware-nonfree/firmware-brcm80211_20161130-3+rpi2_all.deb: https://pastebin.com/N7WkB6yH

 

But on my Jessie/OMV image it's:

-rw-r--r--  1 root root 369577 Jan 15  2017 brcmfmac43430-sdio.bin
-rw-r--r--  1 root root   1108 Jan  3  2017 brcmfmac43430-sdio.txt
9258986488eca9fe5343b0d6fe040f8e  brcmfmac43430-sdio.bin
8c3cb6d8f0609b43f09d083b4006ec5a  brcmfmac43430-sdio.txt

While on the Raspbian/Stretch it looks like this:

-rw-r--r--  1 root root 372398 Aug  9 11:10 brcmfmac43430-sdio.bin
-rw-r--r--  1 root root   1014 Aug  9 11:10 brcmfmac43430-sdio.txt
5f520a38ab4e943bfa1ba102f80fb2a0  brcmfmac43430-sdio.bin
9a88b55134d9f8f3ad2331b93f4b7b79  brcmfmac43430-sdio.txt

Dmesg differences as follows:

Link to comment
Share on other sites

Well, again talking to myself ;)

 

I put the exchanged firmware files online: http://kaiser-edv.de/tmp/NumpU4/brcmfmac43430-sdio-broadpwn-fix.tar

 

Is anyone here with the following combination able to test whether exchanging this firmware file works or not?

  • Board with AP6212 (not AP6212A as far as I understood)
  • Mainline kernel and everything configured correctly to activate Wi-Fi)
  • test with /lib/firmware/brcm/brcmfmac43430-sdio.bin as it's part of armbian-firmware package and from the link above later (collecting 'dmesg | grep brcm' of course)

No idea whether /lib/firmware/brcm/brcmfmac43430-sdio.txt must also be replaced...

Link to comment
Share on other sites

The firmware from Jessie/OMV image is apparently from the official Linux firmware repository, which has not been updated in quite a while.

https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/brcm

 

The firmware from Raspbian/Stretch has been updated specifically to fix Broadpwn:

Quote

firmware-nonfree (1:20161130-3+rpi2) stretch; urgency=medium

  * Bump epoch to prevent being replaced by raspbian.org
  * Update brcmfmac43430-sdio.txt and brcmfmac43430-sdio.bin
    - CVE-2017-9417: "Broadpwn" issue fix
    - Add "CY" string in the version string
    - AMPDU sequence number deadlock fix (potential fix for this issue)
    - CLM version upgrade
    - CVE-2017-0572: memory corruption fix

 -- Serge Schneider <serge@raspberrypi.org>  Wed, 09 Aug 2017 12:10:08 +0100

 

Running "strings" on the Raspbian brcmfmac43430-sdio.bin shows:

Quote

 

Version: 7.45.41.46 (r666254 CY) CRC: 970a33e2 Date: Mon 2017-08-07 00:48:36 PDT Ucode Ver: 1043.206

FWID 01-ef6eb4d3

 

 

Which interestingly does not exactly match your dmesg message.  In any case, this is obviously the one we should use.  If it works.  Which I have no idea.

 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
×
×
  • Create New...

Important Information

Terms of Use - Privacy Policy - Guidelines