DSR-RFC-11 Mobile Vulnerability Management

Introduction

tbd

mvm_pipeline

Example Vulnerabilities

Mali GPU Kernel Driver may elevate CPU RO pages to writable


Title	Mali GPU Kernel Driver may elevate CPU RO pages to writable
CVEs	CVE-2021-39793 CVE-2022-22706 CVE-2022-33917 CVE-2022-36449 (2325, 2327, 2331, 2333, 2334)
Published	Spring 2022 Summer 2022
Severity	MEDIUM HIGH
Description	A non-privileged user can get a write access to read-only memory pages; by forcing the kernel to reuse these pages as page tables, an attacker with native code execution in an app context could gain full access to the system, bypassing Android’s permissions model and allowing broad access to user data.
Affected Devices	Devices with Mali GPU: Pixel Xiaomi Oppo …
Needed Information to detect	GPU manufacturer and model Android Security Bulletin
CPE (via NVD)	nn
✅ Rule(s) for DSR	WARN all devices with MALI GPU && tbd Patchlevel
References	https://googleprojectzero.blogspot.com/2022/11/mind-the-gap.html

Samsung TrustZone Keymaster


Title	Samsung TrustZone Keymaster
CVEs	CVE-2021-25444 CVE-2021-25490
Published	Spring 2022
Severity	HIGH
Description	KeyMaster in TEE: IV reuse attack on AES-GCM that allows an attacker to extract hardware-protected key material downgrade attack that makes even the latest Samsung devices vulnerable to the IV reuse attack
Affected Devices	Galaxy S8, S9, S10, S20, and S21 all Samsung devices released with < Android P
CPE (via NVD)	`cpe:2.3:o:google:android:8.1:::::::; cpe:2.3:o:google:android:9.0:::::::; cpe:2.3:o:google:android:10.0:::::::` `cpe:2.3:o:google:android:9.0:::::::; cpe:2.3:o:google:android:10.0:::::::; cpe:2.3:o:google:android:11.0:::::::`
✅ Rule(s) for DSR	DENY all SAMSUNG devices with SAMSUNG_PATCHLEVEL < SMR AUG-2021 Release 1 DENY all SAMSUNG devices with SAMSUNG_PATCHLEVEL < SMR Oct-2021 Release 1
Needed Information to detect	Samsung patch level information (ro.build.XXXX) Samsung SMR
References	https://eprint.iacr.org/2022/208.pdf https://www.schneier.com/blog/archives/2022/03/samsung-encryption-flaw.html https://security.samsungmobile.com/securityUpdate.smsb?year=2021&month=8

Internet to Baseband Remote Code Execution Vulnerabilities in Exynos Modems


Title	Internet to Baseband Remote Code Execution Vulnerabilities in Exynos Modems
CVEs	CVE-2023-24033 CVE-2023-26496 CVE-2023-26497 CVE-2023-26498 CVE-2023-26072 CVE-2023-26073 CVE-2023-26074 CVE-2023-26075 CVE-2023-26076 …
Published	Spring 2022
Severity	HIGH
Description	KeyMaster in TEE: IV reuse attack on AES-GCM that allows an attacker to extract hardware-protected key material downgrade attack that makes even the latest Samsung devices vulnerable to the IV reuse attack
Affected Devices	Devices with Exynos 1280, 2200, 5300 modem (CVE-2023-28613): Google Pixel 6, 7 Samsung S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series Vivo S16, S15, S6, X70, X60 and X30 (Exynos Auto T5123)
Needed Information to detect	Devices with Exynos 1280, 2200, 5300 modem (CVE-2023-28613): Google Pixel 6, 7 Samsung S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series Vivo S16, S15, S6, X70, X60 and X30 (Exynos Auto T5123)
CPE (via NVD)	`cpe:2.3:o:samsung:exynos_1280_firmware:-:::::::* on cpe:2.3:o:samsung:exynos_2200_firmware:-:::::::` `cpe:2.3:o:samsung:exynos_2200_firmware:-::::::: on cpe:2.3:h:samsung:exynos_2200:-:::::::` `cpe:2.3:o:samsung:exynos_modem_5300_firmware:-::::::: on cpe:2.3:h:samsung:exynos_modem_5300:-:::::::*`
✅ Rule(s) for DSR	1.-4.: allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number 5.-??.: require either a malicious mobile network operator or an attacker with local access to the device
References	https://googleprojectzero.blogspot.com/2023/03/multiple-internet-to-baseband-remote-rce.html https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://source.android.com/docs/security/bulletin/pixel/2023-03-01

Smartphone Fingerprint Authentication Brute-force Attack


Title	Smartphone Fingerprint Authentication Brute-force Attack
CVEs	nn
Published	Spring 2023
Severity	HIGH
Description	Smartphone Fingerprint Authentication to Brute-force Attack with physical access
Affected Devices	Xiaomi Mi 11 Ultra (Android 11) Vivo X60 Pro (Android 11) OnePlus 7 Pro (Android 11) Oppo Reno Ace (Android 10) Samsung Galaxy S10+ (Android 9) OnePlus 5T (Android 8) Huawei Mate30 Pro 5G (HarmonyOS 2) Huawei P40 (HarmonyOS 2)
Needed Information to detect	Android version Android version
CPE (via NVD)	nn
✅ Rule(s) for DSR	tbd
References	https://arxiv.org/pdf/2305.10791.pdf

Implementation

The implementation of the pipeline was carried out using the following resources:

The main.py file receives a list of “keywords” such as “python3 main.py samsung galaxy s6”. These keywords are searched for in a local redis-server instance, which contains all CPEs from NIST.

The found CPEs are formatted properly and queried with the nvdlib at the NIST CVE API. The found CVEs are processed and outputted.

Challenges

The used API has a limited number of requests.
Not all devices have “proper” CPEs.
It is difficult to automatically determine if the found CVEs are fixed in the next patch.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

Last modified December 3, 2023: resolved GMS - DMS ambiguity (b371f09)