DSR-RFC-11 Mobile Vulnerability Management

Introduction

tbd

mvm_pipeline

Example Vulnerabilities

Mali GPU Kernel Driver may elevate CPU RO pages to writable

TitleMali GPU Kernel Driver may elevate CPU RO pages to writable
CVEs
  1. CVE-2021-39793
  2. CVE-2022-22706
  3. CVE-2022-33917
  4. CVE-2022-36449
  5. (2325, 2327, 2331, 2333, 2334)
PublishedSpring 2022
Summer 2022
SeverityMEDIUM
HIGH
DescriptionA non-privileged user can get a write access to read-only memory pages; by forcing the kernel to reuse these pages as page tables, an attacker with native code execution in an app context could gain full access to the system, bypassing Android’s permissions model and allowing broad access to user data.
Affected DevicesDevices with Mali GPU:
  • Pixel
  • Xiaomi
  • Oppo
Needed Information to detect
  1. GPU manufacturer and model
  2. Android Security Bulletin
    CPE (via NVD)nn
    ✅ Rule(s) for DSRWARN all devices with MALI GPU && tbd Patchlevel
    Referenceshttps://googleprojectzero.blogspot.com/2022/11/mind-the-gap.html

    Samsung TrustZone Keymaster

    TitleSamsung TrustZone Keymaster
    CVEs
    1. CVE-2021-25444
    2. CVE-2021-25490
    PublishedSpring 2022
    SeverityHIGH
    DescriptionKeyMaster in TEE:
    1. IV reuse attack on AES-GCM that allows an attacker to extract hardware-protected key material
    2. downgrade attack that makes even the latest Samsung devices vulnerable to the IV reuse attack
    Affected Devices
    1. Galaxy S8, S9, S10, S20, and S21
    2. all Samsung devices released with < Android P
    CPE (via NVD)
    1. cpe:2.3:o:google:android:8.1:*:*:*:*:*:*:*; cpe:2.3:o:google:android:9.0:*:*:*:*:*:*:*; cpe:2.3:o:google:android:10.0:*:*:*:*:*:*:*
    2. cpe:2.3:o:google:android:9.0:*:*:*:*:*:*:*; cpe:2.3:o:google:android:10.0:*:*:*:*:*:*:*; cpe:2.3:o:google:android:11.0:*:*:*:*:*:*:*
    ✅ Rule(s) for DSR
    1. DENY all SAMSUNG devices with SAMSUNG_PATCHLEVEL < SMR AUG-2021 Release 1
    2. DENY all SAMSUNG devices with SAMSUNG_PATCHLEVEL < SMR Oct-2021 Release 1
    Needed Information to detect
    • Samsung patch level information (ro.build.XXXX)
    • Samsung SMR
    References

    Internet to Baseband Remote Code Execution Vulnerabilities in Exynos Modems

    TitleInternet to Baseband Remote Code Execution Vulnerabilities in Exynos Modems
    CVEs
    1. CVE-2023-24033
    2. CVE-2023-26496
    3. CVE-2023-26497
    4. CVE-2023-26498
    5. CVE-2023-26072
    6. CVE-2023-26073
    7. CVE-2023-26074
    8. CVE-2023-26075
    9. CVE-2023-26076
    PublishedSpring 2022
    SeverityHIGH
    DescriptionKeyMaster in TEE:
    1. IV reuse attack on AES-GCM that allows an attacker to extract hardware-protected key material
    2. downgrade attack that makes even the latest Samsung devices vulnerable to the IV reuse attack
    Affected DevicesDevices with Exynos 1280, 2200, 5300 modem (CVE-2023-28613):
    • Google Pixel 6, 7
    • Samsung S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series
    • Vivo S16, S15, S6, X70, X60 and X30
    • (Exynos Auto T5123)
    Needed Information to detectDevices with Exynos 1280, 2200, 5300 modem (CVE-2023-28613):
    • Google Pixel 6, 7
    • Samsung S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series
    • Vivo S16, S15, S6, X70, X60 and X30
    • (Exynos Auto T5123)
    CPE (via NVD)
    • cpe:2.3:o:samsung:exynos_1280_firmware:-:*:*:*:*:*:*:* on cpe:2.3:o:samsung:exynos_2200_firmware:-:*:*:*:*:*:*:*
    • cpe:2.3:o:samsung:exynos_2200_firmware:-:*:*:*:*:*:*:* on cpe:2.3:h:samsung:exynos_2200:-:*:*:*:*:*:*:*
    • cpe:2.3:o:samsung:exynos_modem_5300_firmware:-:*:*:*:*:*:*:* on cpe:2.3:h:samsung:exynos_modem_5300:-:*:*:*:*:*:*:*
    ✅ Rule(s) for DSR1.-4.: allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number
    5.-??.: require either a malicious mobile network operator or an attacker with local access to the device
    References

    Smartphone Fingerprint Authentication Brute-force Attack

    TitleSmartphone Fingerprint Authentication Brute-force Attack
    CVEsnn
    PublishedSpring 2023
    SeverityHIGH
    DescriptionSmartphone Fingerprint Authentication to Brute-force Attack with physical access
    Affected Devices
    • Xiaomi Mi 11 Ultra (Android 11)
    • Vivo X60 Pro (Android 11)
    • OnePlus 7 Pro (Android 11)
    • Oppo Reno Ace (Android 10)
    • Samsung Galaxy S10+ (Android 9)
    • OnePlus 5T (Android 8)
    • Huawei Mate30 Pro 5G (HarmonyOS 2)
    • Huawei P40 (HarmonyOS 2)
    Needed Information to detect
    • Android version
    • Android version
    CPE (via NVD)nn
    ✅ Rule(s) for DSRtbd
    Referenceshttps://arxiv.org/pdf/2305.10791.pdf

    Implementation

    The implementation of the pipeline was carried out using the following resources:

    The main.py file receives a list of “keywords” such as “python3 main.py samsung galaxy s6”. These keywords are searched for in a local redis-server instance, which contains all CPEs from NIST.

    The found CPEs are formatted properly and queried with the nvdlib at the NIST CVE API. The found CVEs are processed and outputted.

    Challenges

    • The used API has a limited number of requests.
    • Not all devices have “proper” CPEs.
    • It is difficult to automatically determine if the found CVEs are fixed in the next patch.

    Last modified December 3, 2023: resolved GMS - DMS ambiguity (b371f09)