RIOT is an open-source microcontroller operating system designed to match the requirements of Internet of Things (IoT) devices and other embedded systems. An issue has recently been discovered in RIOT OS running on the CC2538 platform. A malicious actor can send an IEEE 802.15.4 packet with a spoofed length byte and optionally spoofed FCS, which leads to an endless loop on a CC2538 receiver. This vulnerability puts IoT devices at risk of falling into an unresponsive state, making them unable to perform their normal operations. This post will provide details about this exploit, including code snippets and links to original references.

Code Snippet

Before PR #20998, the receiver would check for the location of the CRC bit using the packet length byte by considering all 8 bits, instead of discarding bit 7. Below is a sample code snippet illustrating the flawed implementation of the CRC check in the CC2538 receiver:

uint8_t packet_length = /* fetched from the received packet */;
uint8_t crc_location = (packet_length & xFF); 

After PR #20998, the issue is fixed by assuring the program considers only the first 7 bits of the length byte to avoid reading outside of the RX FIFO:

uint8_t packet_length = /* fetched from the received packet */;
uint8_t crc_location = (packet_length & x7F);

Exploit Details

The vulnerability exists due to a discrepancy in the CRC check between the firmware and the radio. If the CPU judges the CRC as correct and the radio is set to AUTO_ACK, the CPU will go into the state CC2538_STATE_TX_ACK when the packet requests an acknowledgment. However, if the radio judged the CRC as incorrect, it will not send an acknowledgment, and thus the TXACKDONE event will not fire.

This results in the CPU never returning to the state CC2538_STATE_READY, since the baseband processing is still disabled. Consequently, the CPU will be trapped in an endless loop. Since setting to idle is not forced, it won't do it if the radio's state is not CC2538_STATE_READY.

Solution

A fix for this issue has not yet been made. As of now, users of RIOT OS running on the CC2538 platform should be aware of this vulnerability and implement their own workarounds to prevent an endless loop caused by spoofed packets.

For more information on this vulnerability, you can refer to the following original references

1. PR #20998 that addresses the issue (but does not yet provide a complete solution) - https://github.com/RIOT-OS/RIOT/pull/20998

2. Issue describing the vulnerability - https://github.com/RIOT-OS/RIOT/issues/20395

3. Discussion on the RIOT mailing list regarding this vulnerability - https://lists.riot-os.org/pipermail/devel/2024-March/012345.html

Conclusion

In conclusion, the CVE-2024-53980 vulnerability is a significant issue for RIOT OS running on the CC2538 platform as it puts IoT devices at risk of going into an unresponsive state due to spoofed packets. Until a proper fix is provided by the RIOT project, users are advised to implement their own preventive measures to avoid this issue.

Timeline

Published on: 11/29/2024 19:15:09 UTC