CVE-2022-24936 GBL parser out-of-bounds error allows attacker to overwrite flash Sign key and OTA decryption key.

Attackers can exploit this vulnerability by sending malicious upgrade requests via HTTP POST requests. An attacker can send upgrade requests to the following URL and get upgrade responses with the attacker’s signed keys: /upgrade/?signKey=malicious key>&OTA_Decrypt_Key=malicious key>&bootLoaderId=malicious bootloader id> where malicious key> and malicious bootloader id> are the keys for signing and encrypting the OTA. An attacker can also send malicious upgrade requests via HTTP POST requests to the following URL: /upgrade/?signKey=malicious key>&OTA_Decrypt_Key=malicious key>&bootLoaderId=malicious bootloader id>&url=URL of target app> where URL of target app> is the URL of an application that is vulnerable to this vulnerability. In the above examples, malicious key> and malicious bootloader id> are the keys for signing and encrypting the OTA. An attacker can also send upgrade requests to the following URL: /upgrade/?signKey=malicious key>&OTA_Decrypt_Key=malicious key>&bootLoaderId=malicious bootloader id>&url=URL of target app>&appPackage=malicious app package> where URL of target app> is the URL of an application that is vulnerable to

Attackers can exploit this vulnerability by sending upgrade requests to the following URL

Attackers can exploit this vulnerability by sending upgrade requests to the following URL: /upgrade/?signKey=malicious key>&OTA_Decrypt_Key=malicious key>&bootLoaderId=malicious bootloader id>&url=URL of target app> where URL of target app> is the URL of an application that is vulnerable to this vulnerability. In the above examples, malicious key> and malicious bootloader id> are the keys for signing and encrypting the OTA. An attacker can also send upgrade requests to the following URL: /upgrade/?signKey=malicious key>&OTA_Decrypt_Key=malicious key>&bootLoaderId=malicious bootloader id>&url=URL of target app>&appPackage=malicious app package> where URL of target app> is the URL of an application that is vulnerable to this vulnerability.

Vulnerability details

On July 29, 2017, a vulnerability was found that allows attackers to upgrade applications without the user's consent. An attacker can exploit this vulnerability by sending malicious upgrade requests via HTTP POST requests to the following URL: /upgrade/?signKey=malicious key>&OTA_Decrypt_Key=malicious key>&bootLoaderId=malicious bootloader id>&url=URL of target app> where URL of target app> is the URL of an application that is vulnerable to this vulnerability.

Timeline

Published on: 11/02/2022 18:15:00 UTC
Last modified on: 11/03/2022 16:41:00 UTC

References

• https://github.com/SiliconLabs/gecko_sdk/blame/2e82050dc8823c9fe0e8908c1b2666fb83056230/platform/bootloader/core/btl_bootload.c
• https://community.silabs.com/sfc/servlet.shepherd/document/download/0698Y00000Gdop4QAB?operationContext=S1
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24936