Marvell Avastar 88W8897 wireless chipset exist bugs that someone executes malicious code without any user interaction

by ·

According to a report released by Embedi researcher Denis Selianin, Marvell Avastar 88W8897 wireless chipset firmware has security vulnerabilities, causing security risks for billions of laptops, smartphones, gaming devices, routers and IoT devices using the chip.

In the report, Selianin describes how to execute malicious code using the ThreadX firmware installed on the 88W8897 wireless chipset without any user interaction. ThreadX is a real-time operating system (RTOS) that has been used as firmware for billions of devices.

Selianin said, “I’ve managed to identify ~4 total memory corruption issues in some parts of the firmware. One of the discovered vulnerabilities was a special case of ThreadX block pool overflow. This vulnerability can be triggered without user interaction during the scanning for available networks.”

“One of the discovered vulnerabilities was a special case of ThreadX block pool overflow. This vulnerability can be triggered without user interaction during the scanning for available networks. This procedure is launched every 5 minutes regardless of a device being connected to some Wi-Fi network or not. That’s why this bug is so cool and provides an opportunity to exploit devices literally with zero-click interaction at any state of wireless connection (even when a device isn’t connected to any network). For example, one can do RCE in just powered-on Samsung Chromebook. So just to summarize:

  1. It doesn’t require any user interaction.
  2. It can be triggered every 5 minutes in case of GNU/Linux operating system.
  3. It doesn’t require the knowledge of a Wi-Fi network name or passphrase/key.
  4. It can be triggered even when a device isn’t connected to any Wi-Fi network, just powered on.”

Tags: