SWRA800 November   2023 TMS320F2800132 , TMS320F2800133 , TMS320F2800135 , TMS320F2800137 , TMS320F2800152-Q1 , TMS320F2800153-Q1 , TMS320F2800154-Q1 , TMS320F2800155 , TMS320F2800155-Q1 , TMS320F2800156-Q1 , TMS320F2800157 , TMS320F2800157-Q1 , TMS320F280033 , TMS320F280034 , TMS320F280034-Q1 , TMS320F280036-Q1 , TMS320F280036C-Q1 , TMS320F280037 , TMS320F280037-Q1 , TMS320F280037C , TMS320F280037C-Q1 , TMS320F280038-Q1 , TMS320F280038C-Q1 , TMS320F280039 , TMS320F280039-Q1 , TMS320F280039C , TMS320F280039C-Q1 , TMS320F28384D , TMS320F28384D-Q1 , TMS320F28384S , TMS320F28384S-Q1 , TMS320F28386D , TMS320F28386D-Q1 , TMS320F28386S , TMS320F28386S-Q1 , TMS320F28388D , TMS320F28388S , TMS320F28P650DH , TMS320F28P650DK , TMS320F28P650SH , TMS320F28P650SK , TMS320F28P659DH-Q1 , TMS320F28P659DK-Q1 , TMS320F28P659SH-Q1

 

  1.   1
  2.   Summary
  3.   Vulnerability
  4.   Revision History

Vulnerability

TI PSIRT ID

TI-PSIRT-2023-080189

Definitions

  • Gadget: A sequence of instructions existing in memory maliciously used by an attacker in a way unintended by the original program. Gadgets are often chained together to work as a simple unit to perform arbitrary computations or functions that serve the attacker's purposes.
  • ROP: Return-oriented-programming; a method of attack that chains gadgets together by modifying the return address location of the stack memory.
  • PSIRT: TI’s Product Security Incident Response Team oversees the process of accepting and responding to reports of potential security vulnerabilities involving TI semiconductor products, including hardware, software and documentation. For more information, see TI PSIRT.
  • CVSS: Common Vulnerability Scoring System, maintained by FIRST.

CVE ID

Not applicable.

CVSS Base Score

6.7

Affected Products

  • TMS320F28003x
  • TMS320F2838x
  • TMS320F280013x
  • TMS320F280015x
  • TMS320F28P65x

Potentially Impacted Features

The following attributes may be affected by this vulnerability:

  • Confidentiality and integrity of EXEONLY code in memory.
  • Confidentiality and integrity of non-EXEONLY data/code in memory.

Suggested Mitigations

Enable two features existing on the device:

  • JTAGLOCK. The JTAG interface should be locked. See the SPRACS4 application report for how to lock the JTAG interface.
  • Zero-pin boot to flash boot method. The boot method should be programmed to always boot directly to an internal flash boot mode, either “Flash” or “Secure Flash”. See the device’s Technical Reference Manual for details on how to enable.

These two features provide protection from an attacker connecting a debugger or using a bootloader to load code into internal memory. This injected code is required to launch an ROP/gadget attack on secure memory regions. Best cybersecurity coding and testing practices should also be employed on user application code to prevent attackers from loading their code into internal memory. This includes, but is not limited to, secondary bootloaders, firmware update code, and communication stacks.

Acknowledgments

We would like to thank Zhao Hai from Cyberpeace Tech Co., Ltd. for reporting this vulnerability to the TI Product Security Incident Response Team (PSIRT).