WiFi firmware bug affects laptops, smartphones, routers, gaming devices

List of impacted devices includes PS4, Xbox One, Samsung Chromebooks, and Microsoft Surface devices.

SoC chip chipset

Details have been published today about a vulnerability affecting the firmware of a popular WiFi chipset deployed in a wide range of devices, such as laptops, smartphones, gaming rigs, routers, and Internet of Things (IoT) devices.

Discovered by Embedi researcher Denis Selianin, the vulnerability impacts the firmware of Marvell Avastar 88W8897, one of the most popular WiFi chipsets on the market, currently deployed with devices such as Sony PlayStation 4, Xbox One, Microsoft Surface laptops, Samsung Chromebooks, Samsung Galaxy J1 smartphones, and Valve SteamLink cast devices, just to name a few.

In a report published today, Selianin described how someone could exploit the Avastar firmware (based on a custom implementation of the ThreadX real-time operating system) to execute malicious code without any user interaction.

"I've managed to identify ~4 total memory corruption issues in some parts of the firmware," said Selianin. "One of the discovered vulnerabilities was a special case of ThreadX block pool overflow. This vulnerability can be triggered without user interaction during the scanning for available networks."

The researcher says the firmware function to scan for new WiFi networks launches automatically every five minutes, making exploitation trivial. All an attacker has to do is send malformed WiFi packets to any device with a Marvell Avastar WiFi chipset and wait until the function launches, to execute malicious code and take over the device.

"That's why this bug is so cool and provides an opportunity to exploit devices literally with zero-click interaction at any state of wireless connection (even when a device isn't connected to any network)," Selianin said.

Furthermore, the researcher says he also identified two methods of exploiting this technique, one that is specific to Marvell's own implementation running on top of the ThreadX firmware, and one that is generic and could be applied to other devices using firmware based on the ThreadX RTOS.

Selianin's report contains the technical details on exploiting the vulnerability and a demo video (embedded below). Proof-of-concept code has not been released, for obvious reasons. Patches are in the works [UPDATE: Patches have been released, check update at the end of the article].

The article's text has been updated on January 22 to highlight that the security issue resides solely in Avastar's own implementation running on top of the ThreadX RTOS, and not ThreadX itself. The update was made based on an official statement received by ZDNet from Express Logic, the company behind the ThreadX RTOS. The most relevant part of the statement has been embedded below, for the clarity and transparency of our reporting:

After analyzing the report and media statements regarding the ThreadX-related aspect, we consulted with the author of the initial security analysis who suggested that some of the media reports may have misunderstood the angle and that the security issues described in the original article were not rooted in ThreadX itself. The bottom line is that this vulnerability is not a systemic problem in the ThreadX RTOS. The application firmware and drivers running on the Avastar 88W8897 SoC are solely responsible for and have complete control over the memory corruption cited in this report. In fact, the problem as described could occur on any RTOS, OS, or even without an RTOS. In summary, the vulnerability cited by the author lies with the application firmware, and has absolutely nothing to do with the ThreadX RTOS itself. Hence, none of the extensive 6.2 billion deployments using the ThreadX RTOS are in any way compromised by the ThreadX RTOS code or behavior. This is entirely an application firmware issue.

In a statement sent to ZDNet on January 26, Marvell said it started rolling out a fix for the vulnerability discovered and reported by the Embedi team. The statement, in full, is available here.

More security coverage: