Playstation: Hole in NetBSD driver could allow code smuggling

lobste.rs - Sat May 14 07:29

A security researcher has discovered a vulnerability in a driver shared by NetBSD and Sony’s Playstation. Attackers could possibly inject their own code into affected devices with manipulated network packets. Updates are ready.

The IT security researcher, nicknamed m00nbsd, has discovered a vulnerability in the PPPoE driver of the Playstation 4, through which the attacked device, when establishing a connection by receiving several manipulated packets, composes a large response packet and a buffer overflow can occur in the memory outside of the allocated ones borders is overwritten.

According to the description, the attacker controls the size and content of the overwritten areas in the case of this buffer overflow. The vulnerability has received the CVE entry CVE-2022-29867, Sony’s developers classify it as high Risk with a CVSS score of 7.4 a.

The discoverer of the vulnerability writes in his Description on Hackerone, a bug bounty platform, that he suspects that the vulnerability allows malicious code to be injected and executed. And that he found the error with a borrowed Playstation 4, but the Playstation 5 is probably also affected.

Sony has paid a $10,000 bounty for the reported vulnerability. The report was made in September last year; updated firmware has since appeared for both PS4 and PS5. In addition, Sony marks the problem on the bounty platform as solved. The security gap should therefore no longer be exploitable with current firmwares.

The NetBSD project also analyzed the bug. are affected NetBSD-current, 9.2 and 8.2; updated sources are available for all since May 4th. the NetBSD developers write in their security advisorythat the attack creates memory scrambling in the mbuf cluster pool, with unclear consequences. The content of the overwritten data areas is under the control of the attacker.

The programmers restrict that the error can only occur when the connection is established; at a later point in time, the malicious packets are simply ignored by the kernel. They have released bug fixed code as well as new binaries for the releng branch. In the message, the developers write how administrators can update the driver and recompile the kernel.

In the gamer scene in particular, such a gap raises the hope that the Playstation could be cracked and used to run homebrew, for example. So far, none of the parties involved has confirmed that such code smuggling would be possible.

However, well-known scene-goers such as Specter estimate that the PS4 does not require the newer gap for a functioning jailbreak; the exploit would probably be less stable than the previously used exFAT exploit. In addition, mbuf memory scrambling is “somehow corrosive”.

NetBSD administrators should install the fixed driver when they have the opportunity. Playstation owners who are not interested in a jailbreak should also have the latest firmware installed to close the security gaps in the game console.


(dmk)