Technical Advisory: Sonos Era 100 Secure Boot Bypass Through Unchecked setenv() call
Vendor: Sonos
Vendor URL: https://www.sonos.com/
Versions affected:
* Confirmed 73.0-42060
Systems Affected: Sonos Era 100
Author: Ilya Zhuravlev
Advisory URL: Not provided by Sonos. Sonos state an update was released on 2023-11-15 which remediated the issue.
CVE Identifier: N/A
Risk: High
Summary
Sonos Era 100 is a smart speaker released in 2023. A vulnerability exists in the U-Boot component of the firmware which would allow for persistent arbitrary code execution with Linux kernel privileges. This vulnerability could be exploited either by an attacker with physical access to the device, or by obtaining write access to the flash memory through a separate runtime vulnerability.
Impact
An unsigned attacker-controlled rootfs may be loaded by the Linux kernel. This achieves a persistent bypass of the secure boot mechanism, providing early code execution within the Linux userspace under the /init process as the “root” user. It can be further escalated into kernel-mode arbitrary code execution by loading a custom kernel module.
Details
The implementation of the custom “sonosboot” command loads the kernel image, performs the signature check, and then passes execution to the built-in U-Boot “bootm” command. Since “bootm” uses the “bootargs” environment variable as Linux kernel arguments, the “sonosboot” command initializes it with a call to `setenv`:
setenv(“bootargs”,(char *)kernel_cmdline);
However, the return result of `setenv` is not checked. If this call fails, “bootargs” will keep its previous value and “bootm” will pass it to the Linux kernel.
On the Sonos Era 100 the U-Boot environment is loaded from the eMMC from address 0x500000. Whilst the factory image does not contain a valid U-Boot environment there, and we can confirm it through the presence of the “*** Warning – bad CRC, using default environment” warning message displayed on UART, it is possible to place a valid environment by directly writing to the eMMC with a hardware programmer.
There is a feature in U-Boot that allows setting environment variables as read-only. For example, setting “bootargs=something” and then “.flags=bootargs:sr” would make any future writes to “bootargs” fail. Thus, the Linux kernel will boot with an attacker-controlled “bootargs“.
As a result, it is possible to fully control the Linux kernel command line. From there, an adversary could append the “initrd=0xADDR,0xSIZE” option to load their own initramfs, overwriting the one embedded in the image.
By replacing the “/init” process it is then possible to obtain early persistent code execution on the device.
Recommendation
- Consider setting
CONFIG_ENV_IS_NOWHEREto disable loading of a U-boot environment from the flash memory. - Validate the return value of setenv and abort the boot process if the call fails.
Vendor Communication
| Date | Communication |
|---|---|
| 2023-09-04 | Issue reported to vendor. |
| 2023-09-07 | Sonos has triaged report and is investigating. |
| 2023-11-29 | NCC queries Sonos for expected patch date. |
| 2023-11-29 | Sonos informs NCC that they already shipped a patch on the 15th Nov. |
| 2023-11-30 | NCC queries why there are no release notes, CVE, or credit for the issues. |
| 2023-12-01 | NCC informs Sonos that technical details will be published the w/c 4th Dec. |
| 2023-12-04 | NCC publishes blog and advisory. |
Thanks to
Alex Plaskett (@alexjplaskett)
About NCC Group
NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.
Written by: Ilya Zhuravlev