CC254x OAD: AES-CBC MAC Verification Vulnerability

1 Summary

In the CC254x OAD solution:

aesSignature() function in BEM/app/bem_main.c uses Message Authentication Code (MAC) to verify the OAD image signature.

The signature verification implementation uses a non-constant time memcmp function, which potentially enables the MAC check to be vulnerable to a timing attack.

2 Vulnerability

TI PSIRT ID

TI-PSIRT-2019-060032

CVSS Base Score

8.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products and Versions

CC2540/CC2541 BLE_Stack v1.5.0 and earlier

Potentially Impacted Features

The potential vulnerability can impact the OAD image signing and encryption functionality.

Suggested Mitigations

The following SDK release addresses the potential vulnerability with a constant time memcmp function in aesSignature():

BLE-STACK (support for CC2540/CC2541) SDK v1.5.1

Customers of affected products should apply this service-pack and consider further system-level security measures as appropriate. Customers are solely responsible for the security of their products and are encouraged to assess the possible risk of any potential security vulnerability.

Acknowledgment

We would like to thank researchers from COSIC, KU Leuven and imec for reporting this potential vulnerability to the TI Product Security Incident Response Team (PSIRT) and working toward a coordinated report.