TID-213: Faulty FW/SW Update Integrity Verification
Threat Description
To avoid the weaknesses of a shared secret verification (see TID-212), devices may utilize a digital signature verification scheme based on asymmetric public key cryptography. However, if the device does not correctly verify a firmware/software signature correctly, a threat actor can bypass the device’s authenticity checking mechanisms to upload malicious or corrupt version. The unauthorized firmware could “brick” the device, preventing it from being reset. This could also be used to install malicious logic on the device.
NOTE: firmware/software signature here refers to processes that use cryptographic keys to verify firmware integrity and origin. These can include keyed hashes and/or asymmetric key signing. This does not include encrypting firmware with no other integrity verification mechanisms in-place.
Threat Maturity and Evidence
Known Exploitable Weakness
KEV - CVE-2023-41991
“Apple iOS, iPadOS, macOS, and watchOS contain an improper certificate validation vulnerability that can allow a malicious app to bypass signature validation.”
CWE
CWE-347: Improper Verification of Cryptographic Signature
“The product does not verify, or incorrectly verifies, the cryptographic signature for data.”
CVE
CVE-2021-43394
“STMicroelectronics STSAFE-J 1.1.4, J-SAFE3 1.2.5, and J-SIGN sometimes allow attackers to abuse signature verification. This is associated with the ECDSA signature algorithm on the Java Card J-SAFE3 and STSAFE-J platforms exposing a 3.0.4 Java Card API…”
CVE-2023-33768
“Incorrect signature verification of the firmware during the Device Firmware Update process of Belkin Wemo Smart Plug WSP080 v1.2 allows attackers to cause a Denial of Service (DoS) via a crafted firmware file.”
Cisco IOS XE Software Digital Signature Verification Bypass Vulnerability - CVE-2020-3209
“A vulnerability in software image verification in Cisco IOS XE Software could allow an unauthenticated, physical attacker to install and boot a malicious software image or execute unsigned binaries on an affected device. The vulnerability is due to an improper check on the area of code that manages the verification of the digital signatures of system image files during the initial boot process. An attacker could exploit this vulnerability by loading unsigned software on an affected device. A successful exploit could allow the attacker to install and boot a malicious software image or execute unsigned binaries on the targeted device.”
CVE-2023-41991
“A certificate validation issue was addressed. This issue is fixed in macOS Ventura 13.6, iOS 16.7 and iPadOS 16.7. A malicious app may be able to bypass signature validation. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7.”