A recently identified critical vulnerability, CVE-2022-22819, affects the NXP LPC55S66JBD64, LPC55S66JBD100, LPC55S66JEV98, LPC55S69JBD64, LPC55S69JBD100, and LPC55S69JEV98 microcontrollers (ROM version 1B). This vulnerability is caused by a buffer overflow in parsing SB2 updates before the signature is verified. If exploited by an attacker, it can allow non-persistent code execution via a crafted unsigned update. In this post, we dive into the details of the vulnerability, including code snippets, original references, and exploit details.

Vulnerability Details

The issue stems from the way these NXP microcontrollers handle the parsing of SB2 updates, prior to verifying the signature of the update. A buffer overflow can occur, allowing an attacker to execute non-persistent code through a specifically crafted unsigned update.

The vulnerability is particularly concerning because it affects secured devices, which rely on a secure boot process to ensure only authenticated updates are applied. The fact that this vulnerability can be exploited before verifying the signature of the update makes it an attractive target for attackers.

Code Snippet

To illustrate the vulnerability, consider the following pseudo-code snippet that represents part of the SB2 parsing process:

void parse_sb2_update(unsigned char *update_data, unsigned int update_size) {
    unsigned int parsed_size = ;
    unsigned char buffer[64];

    while (parsed_size < update_size) {
        memcpy(buffer, update_data + parsed_size, 64); // potential buffer overflow
        // ...
        parsed_size += 64;
    }
    // ...
}

In the snippet above, the function parse_sb2_update parses the update data by copying 64 bytes at a time into a local buffer. However, no check is performed to ensure the update_data size does not exceed the allocated size of the buffer. This can lead to an overflow of the local buffer, which an attacker could exploit for code execution.

Exploit

To exploit this vulnerability, an attacker needs to create a malicious, unsigned SB2 update with a carefully crafted payload. The crafted unsigned update would overflow the buffer, thus allowing the attacker to execute code on the targeted microcontroller.

It is essential to note that the code execution is non-persistent. This implies that the attacker's code would not survive a reboot. However, the malicious code can still cause significant damage, especially if the microcontroller is controlling critical systems or is part of a larger interconnected system like IoT devices, automotive systems, or industrial control applications.

- NXP LPC55S6x Microcontrollers: https://www.nxp.com/design/microcontrollers-developer-resources/lpc-microcontroller-sdk:lpc55s6x
- Original NXP Security Advisory: https://www.nxp.com/docs/en/supporting-information/NXPSB-2..2.pdf
- CVE-2022-22819 Details: https://nvd.nist.gov/vuln/detail/CVE-2022-22819

Mitigation

Currently, there is no direct fix available for CVE-2022-22819. However, NXP has released a security advisory (linked above) that provides guidance on how to mitigate this vulnerability. Users should carefully consider their threat models and the potential risks associated with continued use of the affected microcontrollers until a fix becomes available.

Conclusion

CVE-2022-22819 represents a significant vulnerability for the affected NXP LPC55S6x microcontrollers. Understanding the risk and potential impact on your systems is critical to ensure security. Users must stay informed about updates from NXP and the industry regarding the vulnerability and consider the mitigation strategies provided in the security advisory to protect their systems.

Timeline

Published on: 03/23/2022 22:15:00 UTC
Last modified on: 04/15/2022 18:16:00 UTC