This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

DSR-RFC-11 Mobile Vulnerability Management

    Introduction

    tbd

    mvm_pipeline

    Example Vulnerabilities

    Mali GPU Kernel Driver may elevate CPU RO pages to writable

    TitleMali GPU Kernel Driver may elevate CPU RO pages to writable
    CVEs
    1. CVE-2021-39793
    2. CVE-2022-22706
    3. CVE-2022-33917
    4. CVE-2022-36449
    5. (2325, 2327, 2331, 2333, 2334)
    PublishedSpring 2022
    Summer 2022
    SeverityMEDIUM
    HIGH
    DescriptionA non-privileged user can get a write access to read-only memory pages; by forcing the kernel to reuse these pages as page tables, an attacker with native code execution in an app context could gain full access to the system, bypassing Android’s permissions model and allowing broad access to user data.
    Affected DevicesDevices with Mali GPU:
    • Pixel
    • Xiaomi
    • Oppo
    Needed Information to detect
    1. GPU manufacturer and model
    2. Android Security Bulletin
      CPE (via NVD)nn
      ✅ Rule(s) for DSRWARN all devices with MALI GPU && tbd Patchlevel
      Referenceshttps://googleprojectzero.blogspot.com/2022/11/mind-the-gap.html

      Samsung TrustZone Keymaster

      TitleSamsung TrustZone Keymaster
      CVEs
      1. CVE-2021-25444
      2. CVE-2021-25490
      PublishedSpring 2022
      SeverityHIGH
      DescriptionKeyMaster in TEE:
      1. IV reuse attack on AES-GCM that allows an attacker to extract hardware-protected key material
      2. downgrade attack that makes even the latest Samsung devices vulnerable to the IV reuse attack
      Affected Devices
      1. Galaxy S8, S9, S10, S20, and S21
      2. all Samsung devices released with < Android P
      CPE (via NVD)
      1. cpe:2.3:o:google:android:8.1:*:*:*:*:*:*:*; cpe:2.3:o:google:android:9.0:*:*:*:*:*:*:*; cpe:2.3:o:google:android:10.0:*:*:*:*:*:*:*
      2. cpe:2.3:o:google:android:9.0:*:*:*:*:*:*:*; cpe:2.3:o:google:android:10.0:*:*:*:*:*:*:*; cpe:2.3:o:google:android:11.0:*:*:*:*:*:*:*
      ✅ Rule(s) for DSR
      1. DENY all SAMSUNG devices with SAMSUNG_PATCHLEVEL < SMR AUG-2021 Release 1
      2. DENY all SAMSUNG devices with SAMSUNG_PATCHLEVEL < SMR Oct-2021 Release 1
      Needed Information to detect
      • Samsung patch level information (ro.build.XXXX)
      • Samsung SMR
      References

      Internet to Baseband Remote Code Execution Vulnerabilities in Exynos Modems

      TitleInternet to Baseband Remote Code Execution Vulnerabilities in Exynos Modems
      CVEs
      1. CVE-2023-24033
      2. CVE-2023-26496
      3. CVE-2023-26497
      4. CVE-2023-26498
      5. CVE-2023-26072
      6. CVE-2023-26073
      7. CVE-2023-26074
      8. CVE-2023-26075
      9. CVE-2023-26076
      PublishedSpring 2022
      SeverityHIGH
      DescriptionKeyMaster in TEE:
      1. IV reuse attack on AES-GCM that allows an attacker to extract hardware-protected key material
      2. downgrade attack that makes even the latest Samsung devices vulnerable to the IV reuse attack
      Affected DevicesDevices with Exynos 1280, 2200, 5300 modem (CVE-2023-28613):
      • Google Pixel 6, 7
      • Samsung S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series
      • Vivo S16, S15, S6, X70, X60 and X30
      • (Exynos Auto T5123)
      Needed Information to detectDevices with Exynos 1280, 2200, 5300 modem (CVE-2023-28613):
      • Google Pixel 6, 7
      • Samsung S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series
      • Vivo S16, S15, S6, X70, X60 and X30
      • (Exynos Auto T5123)
      CPE (via NVD)
      • cpe:2.3:o:samsung:exynos_1280_firmware:-:*:*:*:*:*:*:* on cpe:2.3:o:samsung:exynos_2200_firmware:-:*:*:*:*:*:*:*
      • cpe:2.3:o:samsung:exynos_2200_firmware:-:*:*:*:*:*:*:* on cpe:2.3:h:samsung:exynos_2200:-:*:*:*:*:*:*:*
      • cpe:2.3:o:samsung:exynos_modem_5300_firmware:-:*:*:*:*:*:*:* on cpe:2.3:h:samsung:exynos_modem_5300:-:*:*:*:*:*:*:*
      ✅ Rule(s) for DSR1.-4.: allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number
      5.-??.: require either a malicious mobile network operator or an attacker with local access to the device
      References

      Smartphone Fingerprint Authentication Brute-force Attack

      TitleSmartphone Fingerprint Authentication Brute-force Attack
      CVEsnn
      PublishedSpring 2023
      SeverityHIGH
      DescriptionSmartphone Fingerprint Authentication to Brute-force Attack with physical access
      Affected Devices
      • Xiaomi Mi 11 Ultra (Android 11)
      • Vivo X60 Pro (Android 11)
      • OnePlus 7 Pro (Android 11)
      • Oppo Reno Ace (Android 10)
      • Samsung Galaxy S10+ (Android 9)
      • OnePlus 5T (Android 8)
      • Huawei Mate30 Pro 5G (HarmonyOS 2)
      • Huawei P40 (HarmonyOS 2)
      Needed Information to detect
      • Android version
      • Android version
      CPE (via NVD)nn
      ✅ Rule(s) for DSRtbd
      Referenceshttps://arxiv.org/pdf/2305.10791.pdf

      Implementation

      The implementation of the pipeline was carried out using the following resources:

      The main.py file receives a list of “keywords” such as “python3 main.py samsung galaxy s6”. These keywords are searched for in a local redis-server instance, which contains all CPEs from NIST.

      The found CPEs are formatted properly and queried with the nvdlib at the NIST CVE API. The found CVEs are processed and outputted.

      Challenges

      • The used API has a limited number of requests.
      • Not all devices have “proper” CPEs.
      • It is difficult to automatically determine if the found CVEs are fixed in the next patch.