Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Topaz switch on Espressobin has insecure default configuration #18

Open
pali opened this issue Dec 27, 2018 · 4 comments
Open

Topaz switch on Espressobin has insecure default configuration #18

pali opened this issue Dec 27, 2018 · 4 comments

Comments

@pali
Copy link

pali commented Dec 27, 2018

When U-Boot is starting it enables packet forwarding between WAN and LAN ports on Espressobin. After U-Boot boots Linux kernel, then Linux disable forwarding between WAN and LAN.

This is insecure and for router configuration it does not make any sense. Basically it leaks e.g. DHCP broadcast packets or even worse it leaks IPv6 router advertisement packets from LAN to WAN in time period after powering Espressobin up and before Linux kernel is booted.

Please change default configuration of U-Boot, so forwarding between WAN and LAN is disabled by default.

See also this thread: http://espressobin.net/forums/topic/boot-behavior-of-the-switch-and-security/
@erdoukki
Copy link

erdoukki commented Feb 1, 2019

+1

@dedrozeba
Copy link

+2

@pali
Copy link
Author

pali commented May 9, 2020

It looks like that forum thread was removed, but it is still present in web archive:
https://web.archive.org/web/20191101001443/http://espressobin.net/forums/topic/boot-behavior-of-the-switch-and-security/

trini pushed a commit to trini/u-boot that referenced this issue Aug 31, 2020
@stroese
arm: mvebu: Espressobin: Disallow forwarding packets between wan and …
48f2c8a 
…lan ports

By default Topaz switch on Espressobin board forwards packets between all
ethernet ports, including CPU (port 0), wan (port 1) and lan (ports 2,3).

This default U-Boot setup is unsuitable for using Espressobin as router as
it opens security hole in forwarding all packets between wan and lan ports.
E.g. dhcp packets from wan network leaks to lan network during small time
window until U-Boot boots Linux kernel which loads network drivers which
disallows forwarding between wan and lan.

This patch fixes above problem. For Espressobin board prior putting Topaz
switch into forwarding mode, Topaz switch is reconfigured to allow
forwarding packets from wan and lan ports only to CPU port. This ensures
that packets from wan port are not forwarded to lan ports and vice-versa.
Packets from CPU port are still forwarded to all other ports, so U-Boot
network boot works with any ethernet port as before.

This problem was already discussed on Espressobin forum [1] and on
Marvell's github issue tracker [2]. As a workaround people on Espressobin
forum patched U-Boot to completely disable lan ports on Topaz switch which
prevented forwarding packets. That workaround had an issue that U-Boot was
unable to netboot via lan ports anymore. Change in this patch does not have
such issue.

This security issue has been dicussed here as well: [3].

[1] - https://web.archive.org/web/20191231164238/http://espressobin.net/forums/topic/boot-behavior-of-the-switch-and-security/
[2] - MarvellEmbeddedProcessors/u-boot-marvell#18
[3] - https://forum.armbian.com/topic/12635-espressobin-uboot-security-concerns-switch-init-portmask/

Signed-off-by: Pali Rohár <[email protected]>
Reviewed-by: Stefan Roese <[email protected]>
Tested-by: Andre Heider <[email protected]>
@pali
Copy link
Author

pali commented Sep 1, 2020

Fix for this issue now landed in mainline U-Boot project and will be part of U-Boot version v2020.10-rc4.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@erdoukki @pali @dedrozeba