-
Notifications
You must be signed in to change notification settings - Fork 73
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Topaz switch on Espressobin has insecure default configuration #18
Comments
+1 |
+2 |
It looks like that forum thread was removed, but it is still present in web archive: |
trini
pushed a commit
to trini/u-boot
that referenced
this issue
Aug 31, 2020
…lan ports By default Topaz switch on Espressobin board forwards packets between all ethernet ports, including CPU (port 0), wan (port 1) and lan (ports 2,3). This default U-Boot setup is unsuitable for using Espressobin as router as it opens security hole in forwarding all packets between wan and lan ports. E.g. dhcp packets from wan network leaks to lan network during small time window until U-Boot boots Linux kernel which loads network drivers which disallows forwarding between wan and lan. This patch fixes above problem. For Espressobin board prior putting Topaz switch into forwarding mode, Topaz switch is reconfigured to allow forwarding packets from wan and lan ports only to CPU port. This ensures that packets from wan port are not forwarded to lan ports and vice-versa. Packets from CPU port are still forwarded to all other ports, so U-Boot network boot works with any ethernet port as before. This problem was already discussed on Espressobin forum [1] and on Marvell's github issue tracker [2]. As a workaround people on Espressobin forum patched U-Boot to completely disable lan ports on Topaz switch which prevented forwarding packets. That workaround had an issue that U-Boot was unable to netboot via lan ports anymore. Change in this patch does not have such issue. This security issue has been dicussed here as well: [3]. [1] - https://web.archive.org/web/20191231164238/http://espressobin.net/forums/topic/boot-behavior-of-the-switch-and-security/ [2] - MarvellEmbeddedProcessors/u-boot-marvell#18 [3] - https://forum.armbian.com/topic/12635-espressobin-uboot-security-concerns-switch-init-portmask/ Signed-off-by: Pali Rohár <[email protected]> Reviewed-by: Stefan Roese <[email protected]> Tested-by: Andre Heider <[email protected]>
Fix for this issue now landed in mainline U-Boot project and will be part of U-Boot version v2020.10-rc4. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When U-Boot is starting it enables packet forwarding between WAN and LAN ports on Espressobin. After U-Boot boots Linux kernel, then Linux disable forwarding between WAN and LAN.
This is insecure and for router configuration it does not make any sense. Basically it leaks e.g. DHCP broadcast packets or even worse it leaks IPv6 router advertisement packets from LAN to WAN in time period after powering Espressobin up and before Linux kernel is booted.
Please change default configuration of U-Boot, so forwarding between WAN and LAN is disabled by default.
See also this thread: http://espressobin.net/forums/topic/boot-behavior-of-the-switch-and-security/
The text was updated successfully, but these errors were encountered: