A heap-based overflow vulnerability in HWR::EngineCJK::Impl::Construct() in libSDKRecognitionText.spensdk.samsung.so library prior to SMR Sep-2022 Release 1 allows attacker to cause memory access fault.

CVE-2022-36862

An issue was discovered in Samsung TizenRT through 3.0_GBM (and 3.1_PRE). createDB in security/provisioning/src/provisioningdatabasemanager.c has a missing sqlite3_close after sqlite3_open_v2, leading to a denial of service.

**Affected components**

affected source code file: external/iotivity/iotivity\_1.2-rel/resource/csdk/security/provisioning/src/provisioningdatabasemanager.c

**Attack vector(s)**

Missing sqlite3\_close after sqlite3\_open\_v2.  
Whether or not an error occurs when it is opened, resources associated with the database connection handle should be released by passing it to sqlite3\_close() when it is no longer required.

**Suggested description of the vulnerability for use in the CVE**

DoS vulnerability in createDB() function in Samsung Electronics TizenRT latest version (and earlier) due to missing sqlite3\_close after sqlite3\_open\_v2.

**Discoverer(s)/Credits**

UVScan

**Reference(s)**

https://www.sqlite.org/c3ref/open.html

TizenRT/external/iotivity/iotivity\_1.2-rel/resource/csdk/security/provisioning/src/provisioningdatabasemanager.c

Line 100 in f8f776d

result = sqlite3\_open\_v2(path, &g\_db, SQLITE\_OPEN\_READWRITE|SQLITE\_OPEN\_CREATE, NULL);

CVE-2022-40280: Security: DoS vulnerability in function createDB() · Issue #5627 · Samsung/TizenRT

An issue was discovered in Samsung TizenRT through 3.0_GBM (and 3.1_PRE). cyassl_connect_step2 in curl/vtls/cyassl.c has a missing X509_free after SSL_get_peer_certificate, leading to information disclosure.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-40281: Security: Privacy leakage in function cyassl_connect_step2() · Issue #5626 · Samsung/TizenRT

By Waqas
Samsung says the data breach took place in July 2022 however it was only discovered on August 4th, 2022.
This is a post from HackRead.com Read the original post: Samsung Data Breach Exposed Private Data of US Customers

**Samsung** has announced that it suffered a data breach in July 2022 involving the personal data of US customers. The incident happened in late July this year and was discovered on August 4th, 2022.

According to the South Korean technology giant, the incident resulted in the breach of private user data such as names, dates of birth, product registration data, demographic information, and contact numbers.

Samsun sent out an email alert to its users after a hacker managed to breach the security of the tech giant’s US systems and stole customers’ data.

The company assured that the breach didn’t impact its customers’ credit card numbers and social security data, which was also stored in the system. The company has yet to disclose the number of affected customers but has notified them through an email sent on Friday.

> “On or around August 4, 2022, we determined through our ongoing investigation that personal information of certain customers was affected.”
> 
> Samsung

Samsung noted that the breached data may vary according to relevant customers and that none of the consumer devices were hacked by this breach. It also stated that its business operations or customers stayed unaffected.

Nevertheless, the company claims to have implemented necessary measures to prevent similar incidents and offers uninterrupted services to its customers. Samsung has also hired a private cybersecurity and law enforcement agency to investigate the latest incident.

Those impacted in this breach are advised to remain cautious of phishing scams, track their credit profiles, and check Samsung’s privacy policy and **FAQs section**.

**Second Data Breach in 2022**

It is currently unclear who perpetrated this attack. But, it is certainly not the first time the tech vendor has suffered a data breach. In fact, Samsung has been a victim of several data breaches in the recent past. In March 2022, **the company confirmed** suffering a data breach after the Lapsus$ hackers leaked 189 GB worth of sensitive data online.

1.  **Hackers used Samsung website to access Sprint’s customer data**
2.  **Killnet Claim They’ve Stolen Employee Data from Lockheed Martin**
3.  **Flawed Encryption Feature Affected 100M Samsung Galaxy Phones**
4.  **Samsung asks users to scan their Smart TVs for malware – Here’s how to**
5.  **Hackers Compromise Employee Accounts to Access Twilio Internal Systems**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Samsung Data Breach Exposed Private Data of US Customers

There is a NULL pointer dereference in aes256_encrypt in Samsung mTower through 0.3.0 due to a missing check on the return value of EVP_CIPHER_CTX_new.

/\*\* \* @file arch/arm/m2351/src/numaker\_pfm\_m2351/secure/main.c \* @brief Provides functionality to start secure world, initialize secure \* and normal worlds, pass to execution to normal world. \* \* @copyright Copyright (c) 2019 Samsung Electronics Co., Ltd. All Rights Reserved. \* @author Taras Drozdovskyi t.drozdovsky@samsung.com \* \* Licensed under the Apache License, Version 2.0 (the "License"); \* you may not use this file except in compliance with the License. \* You may obtain a copy of the License at \* \* http://www.apache.org/licenses/LICENSE-2.0 \* \* Unless required by applicable law or agreed to in writing, software \* distributed under the License is distributed on an "AS IS" BASIS, \* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. \* See the License for the specific language governing permissions and \* limitations under the License. \*/ /\* Included Files. \*/ #include <stdio.h\> #include <stdint.h\> #include <stdlib.h\> #include <string.h\> #include <openssl/sha.h\> //#include "config.h" //#include "version.h" #include <openssl/ec.h\> // for EC\_GROUP\_new\_by\_curve\_name, EC\_GROUP\_free, EC\_KEY\_new, EC\_KEY\_set\_group, EC\_KEY\_generate\_key, EC\_KEY\_free #include <openssl/ecdsa.h\> // for ECDSA\_do\_sign, ECDSA\_do\_verify #include <openssl/obj\_mac.h\> // for NID\_secp192k1 #include <stdlib.h\> #include <string.h\> #include <openssl/conf.h\> #include <openssl/evp.h\> #include <openssl/rand.h\> #include <openssl/err.h\> /\* Pre-processor Definitions. \*/ #define AES\_BLOCK\_SIZE 16 #define AES\_KEY\_SIZE 32 /\*\* Start address for non-secure boot image \*/ /\* Private Types. \*/ /\* Any types, enums, structures or unions used by the file are defined here. \*/ /\* typedef for NonSecure callback functions \*/ /\*\* \* @details ECC ECDSA key structure \*/ typedef struct { uint8\_t Qx\[32\]; /\* 256-bits \*/ uint8\_t Qy\[32\]; /\* 256-bits \*/ uint8\_t d\[32\]; /\* 256-bits \*/ }\_\_attribute\_\_((packed)) ECC\_KEY\_T; typedef struct \_AES\_DATA { unsigned char key\[AES\_KEY\_SIZE\]; unsigned char iv\[AES\_BLOCK\_SIZE\]; } AES\_DATA; typedef struct Message\_Struct { unsigned char \*body; int \*length; AES\_DATA \*aes\_settings; } Message; /\* Private Function Prototypes. \*/ /\* Prototypes of all static functions in the file are provided here. \*/ /\* Private Data. \*/ /\* All static data definitions appear here. \*/ uint32\_t key\[\] = { 0x78563412, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0xefcdac00 }; uint32\_t iv\[\] = { 0x78563412, 0x00000000, 0x00000000, 0xefcdac00 }; /\* Public Data. \*/ /\* All data definitions with global scope appear here. \*/ /\* Public Function Prototypes \*/ Message \*message\_init(int); int aes256\_init(Message \*); Message \*aes256\_encrypt(Message \*); void aes\_cleanup(AES\_DATA \*); void message\_cleanup(Message \*); void sha256(unsigned char \*data, unsigned int data\_len, unsigned char \*hash) { SHA256\_CTX sha256; SHA256\_Init(&sha256); SHA256\_Update(&sha256, data, data\_len); SHA256\_Final(hash, &sha256); } Message \*message\_init(int length) { Message \*ret = malloc(sizeof(Message)); ret->body = malloc(length); ret->length = malloc(sizeof(int)); \*ret->length = length; //initialize aes\_data aes256\_init(ret); return ret; } int aes256\_init(Message \* input) { AES\_DATA \*aes\_info = malloc(sizeof(AES\_DATA)); //point to new data input->aes\_settings = aes\_info; //get rand bytes memcpy(input->aes\_settings\->key, key, AES\_KEY\_SIZE); memcpy(input->aes\_settings\->iv, iv, AES\_KEY\_SIZE / 2); return 0; } Message \*aes256\_encrypt(Message \* plaintext) { EVP\_CIPHER\_CTX \*enc\_ctx; Message \* encrypted\_message; int enc\_length = \*(plaintext->length) + (AES\_BLOCK\_SIZE - \*(plaintext->length) % AES\_BLOCK\_SIZE); encrypted\_message = message\_init(enc\_length); //set up encryption context enc\_ctx = EVP\_CIPHER\_CTX\_new(); EVP\_EncryptInit(enc\_ctx, EVP\_aes\_256\_cfb(), plaintext->aes\_settings\->key, plaintext->aes\_settings\->iv); //encrypt all the bytes up to but not including the last block if (!EVP\_EncryptUpdate(enc\_ctx, encrypted\_message->body, &enc\_length, plaintext->body, \*plaintext->length)) { EVP\_CIPHER\_CTX\_cleanup(enc\_ctx); printf("EVP Error: couldn't update encryption with plain text!\\n"); return NULL; } //update length with the amount of bytes written \*(encrypted\_message->length) = enc\_length; //EncryptFinal will cipher the last block + Padding if (!EVP\_EncryptFinal\_ex(enc\_ctx, enc\_length + encrypted\_message->body, &enc\_length)) { EVP\_CIPHER\_CTX\_cleanup(enc\_ctx); printf("EVP Error: couldn't finalize encryption!\\n"); return NULL; } //add padding to length \*(encrypted\_message->length) += enc\_length; //no errors, copy over key & iv rather than pointing to the plaintext msg memcpy(encrypted\_message->aes\_settings\->key, plaintext->aes\_settings\->key, AES\_KEY\_SIZE); memcpy(encrypted\_message->aes\_settings\->iv, plaintext->aes\_settings\->iv, AES\_KEY\_SIZE / 2); //Free context and return encrypted message EVP\_CIPHER\_CTX\_cleanup(enc\_ctx); return encrypted\_message; } void aes\_cleanup(AES\_DATA \*aes\_data) { // free(aes\_data -> iv); // free(aes\_data -> key); // free(aes\_data); } void message\_cleanup(Message \*message) { //free message struct aes\_cleanup(message->aes\_settings); free(message->length); free(message->body); free(message); } /\*\* \* @brief main - entry point of mTower: secure world. \* \* @param None \* \* @returns None (function is not supposed to return) \*/ int main(int argc, char \* argv\[\]) { // Initialize openSSL // ERR\_load\_crypto\_strings(); // OpenSSL\_add\_all\_algorithms(); // OPENSSL\_config(NULL); EC\_KEY \*eckey = EC\_KEY\_new(); if (NULL == eckey) { printf("Failed to create new EC Key\\n"); return -1; } EC\_GROUP \*ecgroup = EC\_GROUP\_new\_by\_curve\_name(NID\_X9\_62\_prime256v1); if (NULL == ecgroup) { printf("Failed to create new EC Group\\n"); return -1; } if (EC\_KEY\_set\_group(eckey, ecgroup) != 1 ) { printf("Failed to set group for EC Key\\n"); return -1; } if (EC\_KEY\_generate\_key(eckey) != 1) { printf("Failed to generate EC Key\\n"); return -1; } const BIGNUM\* d = EC\_KEY\_get0\_private\_key(eckey); const EC\_POINT\* Q = EC\_KEY\_get0\_public\_key(eckey); const EC\_GROUP\* group = EC\_KEY\_get0\_group(eckey); BIGNUM\* x = BN\_new(); BIGNUM\* y = BN\_new(); if (!EC\_POINT\_get\_affine\_coordinates\_GFp(group, Q, x, y, NULL)) { return -1; } // printf("d: %s\\n", BN\_bn2hex(d)); // printf("X: %s\\n", BN\_bn2hex(x)); // printf("Y: %s\\n", BN\_bn2hex(y)); ECC\_KEY\_T ecc\_ecdsa\_key; BN\_bn2bin(d, &ecc\_ecdsa\_key.d\[0\]); BN\_bn2bin(x, ecc\_ecdsa\_key.Qx); BN\_bn2bin(y, ecc\_ecdsa\_key.Qy); // for (int i = 0; i != 32; i++) // printf(" %02X",ecc\_ecdsa\_key.d\[i\]); // printf("\\n"); char\* buff; buff = malloc(strlen(argv\[1\]) + strlen("ecdsa\_keys.bin") + 1); buff\[0\] = 0; strcat(buff, argv\[1\]); strcat(buff, "ecdsa\_keys.bin"); FILE\* fd = fopen(buff, "wb"); if (!fd) { printf("Failed to open file\\n"); free(buff); return -1; } free(buff); if (fwrite((void \*) &ecc\_ecdsa\_key, sizeof(char), (size\_t) (sizeof(ECC\_KEY\_T)), fd) != (size\_t) (sizeof(ECC\_KEY\_T))) { fclose(fd); return -1; } fclose(fd); Message \*message, \*enc\_msg; message = message\_init(64); memcpy((char \*) message->body, (unsigned char \*) ecc\_ecdsa\_key.Qx, 64); enc\_msg = aes256\_encrypt(message); //clean up ssl; // EVP\_cleanup(); // CRYPTO\_cleanup\_all\_ex\_data(); //Stop data leaks // ERR\_free\_strings(); buff = malloc(strlen(argv\[1\]) + strlen("NuBL32PubKeyEncrypted.bin") + 1); buff\[0\] = 0; strcat(buff, argv\[1\]); strcat(buff, "NuBL32PubKeyEncrypted.bin"); fd = fopen(buff, "wb"); if (!fd) { printf("Failed to open file\\n"); free(buff); return -1; } free(buff); if (fwrite((void \*) enc\_msg->body, sizeof(char), 64, fd) != 64) { fclose(fd); return -1; } fclose(fd); // free(buff); // message\_cleanup(message); // message\_cleanup(enc\_msg); buff = malloc(strlen(argv\[1\]) + strlen("NuBL32PubKeyEncryptedHash.bin") + 1); buff\[0\] = 0; strcat(buff, argv\[1\]); strcat(buff, "NuBL32PubKeyEncryptedHash.bin"); fd = fopen(buff, "wb"); if (!fd) { printf("Failed to open file\\n"); free(buff); return -1; } free(buff); unsigned char PubKeyEncryptedHash\[64\]; sha256((void \*) enc\_msg->body, 64, (unsigned char \*) PubKeyEncryptedHash); if (fwrite((void \*) PubKeyEncryptedHash, sizeof(char), 32, fd) != 32) { fclose(fd); return -1; } fclose(fd); message = message\_init(64); memcpy((char \*) message->body, (unsigned char \*) ecc\_ecdsa\_key.Qx, 64); enc\_msg = aes256\_encrypt(message); //clean up ssl; // EVP\_cleanup(); // CRYPTO\_cleanup\_all\_ex\_data(); //Stop data leaks // ERR\_free\_strings(); buff = malloc(strlen(argv\[1\]) + strlen("NuBL33PubKeyEncrypted.bin") + 1); buff\[0\] = 0; strcat(buff, argv\[1\]); strcat(buff, "NuBL33PubKeyEncrypted.bin"); fd = fopen(buff, "wb"); if (!fd) { printf("Failed to open file\\n"); free(buff); return -1; } free(buff); if (fwrite((void \*) enc\_msg->body, sizeof(char), 64, fd) != 64) { fclose(fd); return -1; } fclose(fd); // free(buff); // message\_cleanup(message); // message\_cleanup(enc\_msg); buff = malloc(strlen(argv\[1\]) + strlen("NuBL33PubKeyEncryptedHash.bin") + 1); buff\[0\] = 0; strcat(buff, argv\[1\]); strcat(buff, "NuBL33PubKeyEncryptedHash.bin"); fd = fopen(buff, "wb"); if (!fd) { printf("Failed to open file\\n"); free(buff); return -1; } free(buff); // unsigned char PubKeyEncryptedHash\[64\]; sha256((void \*) enc\_msg->body, 64, (unsigned char \*) PubKeyEncryptedHash); if (fwrite((void \*) PubKeyEncryptedHash, sizeof(char), 32, fd) != 32) { fclose(fd); return -1; } fclose(fd); exit: BN\_free(x); BN\_free(y); EC\_GROUP\_free(ecgroup); EC\_KEY\_free(eckey); // clean up ssl; // EVP\_cleanup(); // CRYPTO\_cleanup\_all\_ex\_data(); //Stop data leaks // ERR\_free\_strings(); return 0; }

CVE-2022-39829: mTower/ecdsa_keygen.c at 18f4b592a8a973ce5972f4e2658ea0f6e3686284 · Samsung/mTower

sign_pFwInfo in Samsung mTower through 0.3.0 has a missing check on the return value of EC_KEY_set_private_key, leading to a denial of service.

**NAME**

EVP\_EC\_gen, EC\_KEY\_get\_method, EC\_KEY\_set\_method, EC\_KEY\_new\_ex, EC\_KEY\_new, EC\_KEY\_get\_flags, EC\_KEY\_set\_flags, EC\_KEY\_clear\_flags, EC\_KEY\_new\_by\_curve\_name\_ex, EC\_KEY\_new\_by\_curve\_name, EC\_KEY\_free, EC\_KEY\_copy, EC\_KEY\_dup, EC\_KEY\_up\_ref, EC\_KEY\_get0\_engine, EC\_KEY\_get0\_group, EC\_KEY\_set\_group, EC\_KEY\_get0\_private\_key, EC\_KEY\_set\_private\_key, EC\_KEY\_get0\_public\_key, EC\_KEY\_set\_public\_key, EC\_KEY\_get\_conv\_form, EC\_KEY\_set\_conv\_form, EC\_KEY\_set\_asn1\_flag, EC\_KEY\_decoded\_from\_explicit\_params, EC\_KEY\_precompute\_mult, EC\_KEY\_generate\_key, EC\_KEY\_check\_key, EC\_KEY\_set\_public\_key\_affine\_coordinates, EC\_KEY\_oct2key, EC\_KEY\_key2buf, EC\_KEY\_oct2priv, EC\_KEY\_priv2oct, EC\_KEY\_priv2buf - Functions for creating, destroying and manipulating EC\_KEY objects

**SYNOPSIS**

    #include <openssl/ec.h>
    
    EVP_PKEY *EVP_EC_gen(const char *curve);

The following functions have been deprecated since OpenSSL 3.0, and can be hidden entirely by defining **OPENSSL\_API\_COMPAT** with a suitable version value, see openssl\_user\_macros(7):

    EC_KEY *EC_KEY_new_ex(OSSL_LIB_CTX *ctx, const char *propq);
    EC_KEY *EC_KEY_new(void);
    int EC_KEY_get_flags(const EC_KEY *key);
    void EC_KEY_set_flags(EC_KEY *key, int flags);
    void EC_KEY_clear_flags(EC_KEY *key, int flags);
    EC_KEY *EC_KEY_new_by_curve_name_ex(OSSL_LIB_CTX *ctx, const char *propq,
                                        int nid);
    EC_KEY *EC_KEY_new_by_curve_name(int nid);
    void EC_KEY_free(EC_KEY *key);
    EC_KEY *EC_KEY_copy(EC_KEY *dst, const EC_KEY *src);
    EC_KEY *EC_KEY_dup(const EC_KEY *src);
    int EC_KEY_up_ref(EC_KEY *key);
    ENGINE *EC_KEY_get0_engine(const EC_KEY *eckey);
    const EC_GROUP *EC_KEY_get0_group(const EC_KEY *key);
    int EC_KEY_set_group(EC_KEY *key, const EC_GROUP *group);
    const BIGNUM *EC_KEY_get0_private_key(const EC_KEY *key);
    int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *priv_key);
    const EC_POINT *EC_KEY_get0_public_key(const EC_KEY *key);
    int EC_KEY_set_public_key(EC_KEY *key, const EC_POINT *pub);
    point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *key);
    void EC_KEY_set_conv_form(EC_KEY *eckey, point_conversion_form_t cform);
    void EC_KEY_set_asn1_flag(EC_KEY *eckey, int asn1_flag);
    int EC_KEY_decoded_from_explicit_params(const EC_KEY *key);
    int EC_KEY_generate_key(EC_KEY *key);
    int EC_KEY_check_key(const EC_KEY *key);
    int EC_KEY_set_public_key_affine_coordinates(EC_KEY *key, BIGNUM *x, BIGNUM *y);
    const EC_KEY_METHOD *EC_KEY_get_method(const EC_KEY *key);
    int EC_KEY_set_method(EC_KEY *key, const EC_KEY_METHOD *meth);
    
    int EC_KEY_oct2key(EC_KEY *eckey, const unsigned char *buf, size_t len, BN_CTX *ctx);
    size_t EC_KEY_key2buf(const EC_KEY *eckey, point_conversion_form_t form,
                          unsigned char **pbuf, BN_CTX *ctx);
    
    int EC_KEY_oct2priv(EC_KEY *eckey, const unsigned char *buf, size_t len);
    size_t EC_KEY_priv2oct(const EC_KEY *eckey, unsigned char *buf, size_t len);
    
    size_t EC_KEY_priv2buf(const EC_KEY *eckey, unsigned char **pbuf);
    int EC_KEY_precompute_mult(EC_KEY *key, BN_CTX *ctx);

**DESCRIPTION**

EVP\_EC\_gen() generates a new EC key pair on the given _curve_.

All of the functions described below are deprecated. Applications should instead use EVP\_EC\_gen(), EVP\_PKEY\_Q\_keygen(3), or EVP\_PKEY\_keygen\_init(3) and EVP\_PKEY\_keygen(3).

An EC\_KEY represents a public key and, optionally, the associated private key. A new EC\_KEY with no associated curve can be constructed by calling EC\_KEY\_new\_ex() and specifying the associated library context in _ctx_ (see OSSL\_LIB\_CTX(3)) and property query string _propq_. The _ctx_ parameter may be NULL in which case the default library context is used. The reference count for the newly created EC\_KEY is initially set to 1. A curve can be associated with the EC\_KEY by calling EC\_KEY\_set\_group().

EC\_KEY\_new() is the same as EC\_KEY\_new\_ex() except that the default library context is always used.

Alternatively a new EC\_KEY can be constructed by calling EC\_KEY\_new\_by\_curve\_name\_ex() and supplying the nid of the associated curve, the library context to be used _ctx_ (see OSSL\_LIB\_CTX(3)) and any property query string _propq_. The _ctx_ parameter may be NULL in which case the default library context is used. The _propq_ value may also be NULL. See EC\_GROUP\_new(3) for a description of curve names. This function simply wraps calls to EC\_KEY\_new\_ex() and EC\_GROUP\_new\_by\_curve\_name\_ex().

EC\_KEY\_new\_by\_curve\_name() is the same as EC\_KEY\_new\_by\_curve\_name\_ex() except that the default library context is always used and a NULL property query string.

Calling EC\_KEY\_free() decrements the reference count for the EC\_KEY object, and if it has dropped to zero then frees the memory associated with it. If _key_ is NULL nothing is done.

EC\_KEY\_copy() copies the contents of the EC\_KEY in _src_ into _dest_.

EC\_KEY\_dup() creates a new EC\_KEY object and copies _ec\_key_ into it.

EC\_KEY\_up\_ref() increments the reference count associated with the EC\_KEY object.

EC\_KEY\_get0\_engine() returns a handle to the ENGINE that has been set for this EC\_KEY object.

EC\_KEY\_generate\_key() generates a new public and private key for the supplied _eckey_ object. _eckey_ must have an EC\_GROUP object associated with it before calling this function. The private key is a random integer (0 < priv\_key < order, where _order_ is the order of the EC\_GROUP object). The public key is an EC\_POINT on the curve calculated by multiplying the generator for the curve by the private key.

EC\_KEY\_check\_key() performs various sanity checks on the EC\_KEY object to confirm that it is valid.

EC\_KEY\_set\_public\_key\_affine\_coordinates() sets the public key for _key_ based on its affine co-ordinates; i.e., it constructs an EC\_POINT object based on the supplied _x_ and _y_ values and sets the public key to be this EC\_POINT. It also performs certain sanity checks on the key to confirm that it is valid.

The functions EC\_KEY\_get0\_group(), EC\_KEY\_set\_group(), EC\_KEY\_get0\_private\_key(), EC\_KEY\_set\_private\_key(), EC\_KEY\_get0\_public\_key(), and EC\_KEY\_set\_public\_key() get and set the EC\_GROUP object, the private key, and the EC\_POINT public key for the **key** respectively. The function EC\_KEY\_set\_private\_key() accepts NULL as the priv\_key argument to securely clear the private key component from the EC\_KEY.

The functions EC\_KEY\_get\_conv\_form() and EC\_KEY\_set\_conv\_form() get and set the point\_conversion\_form for the _key_. For a description of point\_conversion\_forms please see EC\_POINT\_new(3).

EC\_KEY\_set\_flags() sets the flags in the _flags_ parameter on the EC\_KEY object. Any flags that are already set are left set. The flags currently defined are EC\_FLAG\_NON\_FIPS\_ALLOW and EC\_FLAG\_FIPS\_CHECKED. In addition there is the flag EC\_FLAG\_COFACTOR\_ECDH which is specific to ECDH. EC\_KEY\_get\_flags() returns the current flags that are set for this EC\_KEY. EC\_KEY\_clear\_flags() clears the flags indicated by the _flags_ parameter; all other flags are left in their existing state.

EC\_KEY\_set\_asn1\_flag() sets the asn1\_flag on the underlying EC\_GROUP object (if set). Refer to EC\_GROUP\_copy(3) for further information on the asn1\_flag.

EC\_KEY\_decoded\_from\_explicit\_params() returns 1 if the group of the _key_ was decoded from data with explicitly encoded group parameters, -1 if the _key_ is NULL or the group parameters are missing, and 0 otherwise.

EC\_KEY\_precompute\_mult() stores multiples of the underlying EC\_GROUP generator for faster point multiplication. See also EC\_POINT\_add(3). Modern versions should instead switch to named curves which OpenSSL has hardcoded lookup tables for.

EC\_KEY\_oct2key() and EC\_KEY\_key2buf() are identical to the functions EC\_POINT\_oct2point() and EC\_POINT\_point2buf() except they use the public key EC\_POINT in _eckey_.

EC\_KEY\_oct2priv() and EC\_KEY\_priv2oct() convert between the private key component of _eckey_ and octet form. The octet form consists of the content octets of the _privateKey_ OCTET STRING in an _ECPrivateKey_ ASN.1 structure.

The function EC\_KEY\_priv2oct() must be supplied with a buffer long enough to store the octet form. The return value provides the number of octets stored. Calling the function with a NULL buffer will not perform the conversion but will just return the required buffer length.

The function EC\_KEY\_priv2buf() allocates a buffer of suitable length and writes an EC\_KEY to it in octet format. The allocated buffer is written to _\*pbuf_ and its length is returned. The caller must free up the allocated buffer with a call to OPENSSL\_free(). Since the allocated buffer value is written to _\*pbuf_ the _pbuf_ parameter **MUST NOT** be **NULL**.

EC\_KEY\_priv2buf() converts an EC\_KEY private key into an allocated buffer.

**RETURN VALUES**

EC\_KEY\_new\_ex(), EC\_KEY\_new(), EC\_KEY\_new\_by\_curve\_name\_ex(), EC\_KEY\_new\_by\_curve\_name() and EC\_KEY\_dup() return a pointer to the newly created EC\_KEY object, or NULL on error.

EC\_KEY\_get\_flags() returns the flags associated with the EC\_KEY object as an integer.

EC\_KEY\_copy() returns a pointer to the destination key, or NULL on error.

EC\_KEY\_get0\_engine() returns a pointer to an ENGINE, or NULL if it wasn't set.

EC\_KEY\_up\_ref(), EC\_KEY\_set\_group(), EC\_KEY\_set\_public\_key(), EC\_KEY\_precompute\_mult(), EC\_KEY\_generate\_key(), EC\_KEY\_check\_key(), EC\_KEY\_set\_public\_key\_affine\_coordinates(), EC\_KEY\_oct2key() and EC\_KEY\_oct2priv() return 1 on success or 0 on error.

EC\_KEY\_set\_private\_key() returns 1 on success or 0 on error except when the priv\_key argument is NULL, in that case it returns 0, for legacy compatibility, and should not be treated as an error.

EC\_KEY\_get0\_group() returns the EC\_GROUP associated with the EC\_KEY.

EC\_KEY\_get0\_private\_key() returns the private key associated with the EC\_KEY.

EC\_KEY\_get\_conv\_form() return the point\_conversion\_form for the EC\_KEY.

EC\_KEY\_key2buf(), EC\_KEY\_priv2oct() and EC\_KEY\_priv2buf() return the length of the buffer or 0 on error.

**SEE ALSO**

EVP\_PKEY\_Q\_keygen(3) crypto(7), EC\_GROUP\_new(3), EC\_GROUP\_copy(3), EC\_POINT\_new(3), EC\_POINT\_add(3), EC\_GFp\_simple\_method(3), d2i\_ECPKParameters(3), OSSL\_LIB\_CTX(3)

**HISTORY**

EVP\_EC\_gen() was added in OpenSSL 3.0. All other functions described here were deprecated in OpenSSL 3.0. For replacement see EVP\_PKEY-EC(7).

**COPYRIGHT**

Copyright 2013-2021 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at https://www.openssl.org/source/license.html.

CVE-2022-39828: /docs/manmaster/man3/EC_KEY_set_private_key.html

sign_pFwInfo in Samsung mTower through 0.3.0 has a missing check on the return value of EC_KEY_set_public_key_affine_coordinates, leading to a denial of service.

/\*\* \* @file tools/fwinfogen.c \* @brief . \* \* @copyright Copyright (c) 2019 Samsung Electronics Co., Ltd. All Rights Reserved. \* @author Taras Drozdovskyi t.drozdovsky@samsung.com \* \* Licensed under the Apache License, Version 2.0 (the "License"); \* you may not use this file except in compliance with the License. \* You may obtain a copy of the License at \* \* http://www.apache.org/licenses/LICENSE-2.0 \* \* Unless required by applicable law or agreed to in writing, software \* distributed under the License is distributed on an "AS IS" BASIS, \* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. \* See the License for the specific language governing permissions and \* limitations under the License. \*/ /\* Included Files. \*/ #include <stdio.h\> #include <stdint.h\> #include <stdlib.h\> #include <string.h\> #include <openssl/sha.h\> #include <openssl/ec.h\> // for EC\_GROUP\_new\_by\_curve\_name, EC\_GROUP\_free, EC\_KEY\_new, EC\_KEY\_set\_group, EC\_KEY\_generate\_key, EC\_KEY\_free #include <openssl/ecdsa.h\> // for ECDSA\_do\_sign, ECDSA\_do\_verify #include <openssl/obj\_mac.h\> // for NID\_secp192k1 #include "config.h" //#include "version.h" /\* Pre-processor Definitions. \*/ #define BUILD\_MONTH\_IS\_JAN (\_\_DATE\_\_\[0\] == 'J' && \_\_DATE\_\_\[1\] == 'a' && \_\_DATE\_\_\[2\] == 'n') #define BUILD\_MONTH\_IS\_FEB (\_\_DATE\_\_\[0\] == 'F') #define BUILD\_MONTH\_IS\_MAR (\_\_DATE\_\_\[0\] == 'M' && \_\_DATE\_\_\[1\] == 'a' && \_\_DATE\_\_\[2\] == 'r') #define BUILD\_MONTH\_IS\_APR (\_\_DATE\_\_\[0\] == 'A' && \_\_DATE\_\_\[1\] == 'p') #define BUILD\_MONTH\_IS\_MAY (\_\_DATE\_\_\[0\] == 'M' && \_\_DATE\_\_\[1\] == 'a' && \_\_DATE\_\_\[2\] == 'y') #define BUILD\_MONTH\_IS\_JUN (\_\_DATE\_\_\[0\] == 'J' && \_\_DATE\_\_\[1\] == 'u' && \_\_DATE\_\_\[2\] == 'n') #define BUILD\_MONTH\_IS\_JUL (\_\_DATE\_\_\[0\] == 'J' && \_\_DATE\_\_\[1\] == 'u' && \_\_DATE\_\_\[2\] == 'l') #define BUILD\_MONTH\_IS\_AUG (\_\_DATE\_\_\[0\] == 'A' && \_\_DATE\_\_\[1\] == 'u') #define BUILD\_MONTH\_IS\_SEP (\_\_DATE\_\_\[0\] == 'S') #define BUILD\_MONTH\_IS\_OCT (\_\_DATE\_\_\[0\] == 'O') #define BUILD\_MONTH\_IS\_NOV (\_\_DATE\_\_\[0\] == 'N') #define BUILD\_MONTH\_IS\_DEC (\_\_DATE\_\_\[0\] == 'D') #define BUILD\_MONTH \\ ( \\ (BUILD\_MONTH\_IS\_JAN) ? 1 : \\ (BUILD\_MONTH\_IS\_FEB) ? 2 : \\ (BUILD\_MONTH\_IS\_MAR) ? 3 : \\ (BUILD\_MONTH\_IS\_APR) ? 4 : \\ (BUILD\_MONTH\_IS\_MAY) ? 5 : \\ (BUILD\_MONTH\_IS\_JUN) ? 6 : \\ (BUILD\_MONTH\_IS\_JUL) ? 7 : \\ (BUILD\_MONTH\_IS\_AUG) ? 8 : \\ (BUILD\_MONTH\_IS\_SEP) ? 9 : \\ (BUILD\_MONTH\_IS\_OCT) ? 16 : \\ (BUILD\_MONTH\_IS\_NOV) ? 17 : \\ (BUILD\_MONTH\_IS\_DEC) ? 18 : \\ /\* error default \*/ 0 \\ ) #define BUILD\_DAY\_CH0 ((\_\_DATE\_\_\[4\] >= '0') ? (\_\_DATE\_\_\[4\]) : '0') #define BUILD\_DAY\_CH1 (\_\_DATE\_\_\[ 5\]) #define DATE\_COMPILE (((\_\_DATE\_\_\[7\] - '0') << 28) \\ | (((unsigned int)(\_\_DATE\_\_\[8\] - '0')) << 24) \\ | (((unsigned int)(\_\_DATE\_\_\[9\] - '0')) << 20) \\ | (((unsigned int)(\_\_DATE\_\_\[10\] - '0')) << 16) \\ | (((unsigned int)(BUILD\_MONTH)) << 8) \\ | (((unsigned int)(((\_\_DATE\_\_\[4\] >= '0') ? (\_\_DATE\_\_\[4\]) : '0') - '0')) << 4) \\ | (((unsigned int)\_\_DATE\_\_\[5\] - '0'))) #define BL33\_METADATA\_ADDRESS (0x10080000 - CONFIG\_START\_ADDRESS\_BL33 - 0x8000) /\*\* Instruction Code of "B ." \*/ /\* Private Types. \*/ /\* Any types, enums, structures or unions used by the file are defined here. \*/ /\* typedef for NonSecure callback functions \*/ /\*\* \* @details ECC public key structure \*/ typedef struct { uint32\_t au32Key0\[8\]; /\* 256-bits \*/ uint32\_t au32Key1\[8\]; /\* 256-bits \*/ }\_\_attribute\_\_((packed)) ECC\_PUBKEY\_T; /\*\* \* @details ECC ECDSA signature structure \*/ typedef struct { uint32\_t au32R\[8\]; /\* 256-bits \*/ uint32\_t au32S\[8\]; /\* 256-bits \*/ }\_\_attribute\_\_((packed)) ECDSA\_SIGN\_T; typedef struct { uint32\_t u32Start; /\* 32-bits \*/ uint32\_t u32Size; /\* 32-bits \*/ }\_\_attribute\_\_((packed)) FW\_REGION\_T; typedef struct { uint32\_t u32AuthCFGs; /\* 32-bits \*/ /\* bit\[1:0\]: Reserved bit\[2\]: 1: Info Hash includes PDID / 0: Not include PDID bit\[3\]: 1: Info Hash includes UID / 0: Not include UID bit\[4\]: 1: Info Hash inculdes UICD / 0: Not include UICD bit\[31:5\]: Reserved \*/ uint32\_t u32FwRegionLen; /\* 32-bits \*/ FW\_REGION\_T au32FwRegion\[1\]; /\* (8\*1) bytes \*/ uint32\_t u32ExtInfoLen; /\* 32-bits \*/ uint32\_t au32ExtInfo\[3\]; /\* 12-bytes \*/ }\_\_attribute\_\_((packed)) METADATA\_T; typedef struct { ECC\_PUBKEY\_T pubkey; /\* 64-bytes (256-bits + 256-bits) \*/ METADATA\_T mData; /\* includes authenticate configuration, F/W regions and extend info \*/ uint32\_t au32FwHash\[8\]; /\* 32-bytes (256-bits) \*/ ECDSA\_SIGN\_T sign; /\* 64-bytes (256-bits R + 256-bits S) \*/ }\_\_attribute\_\_((packed)) FW\_INFO\_T; /\*\* \* @details ECC ECDSA key structure \*/ typedef struct { uint8\_t Qx\[32\]; /\* 256-bits \*/ uint8\_t Qy\[32\]; /\* 256-bits \*/ uint8\_t d\[32\]; /\* 256-bits \*/ }\_\_attribute\_\_((packed)) ECC\_KEY\_T; /\* Private Function Prototypes. \*/ /\* Prototypes of all static functions in the file are provided here. \*/ /\* Private Data. \*/ /\* All static data definitions appear here. \*/ /\* Public Data. \*/ /\* All data definitions with global scope appear here. \*/ const char header\[\] = "\\n" "const uint32\_t g\_InitialFWinfo\[\] =\\n" "{\\n" " /\* public key - 64-bytes (256-bits + 256-bits) \*/\\n"; /\* Public Function Prototypes \*/ /\* Private Functions. \*/ void sha256(unsigned char \*data, unsigned int data\_len, unsigned char \*hash) { SHA256\_CTX sha256; SHA256\_Init(&sha256); SHA256\_Update(&sha256, data, data\_len); SHA256\_Final(hash, &sha256); } static int sign\_pFwInfo(FW\_INFO\_T \*pFwInfo, ECC\_KEY\_T \*ecdsa\_key) { int ret = -1; EC\_KEY \*eckey = EC\_KEY\_new(); if (NULL == eckey) { printf("Failed to create new EC Key\\n"); return -1; } EC\_GROUP \*ecgroup = EC\_GROUP\_new\_by\_curve\_name(NID\_X9\_62\_prime256v1); if (NULL == ecgroup) { printf("Failed to create new EC Group\\n"); goto exit; } if (EC\_KEY\_set\_group(eckey, ecgroup) != 1) { printf("Failed to set group for EC Key\\n"); goto exit; } memcpy((void \*) pFwInfo->pubkey.au32Key0, (void \*) ecdsa\_key->Qx, 32); memcpy((void \*) pFwInfo->pubkey.au32Key1, (void \*) ecdsa\_key->Qy, 32); BIGNUM\* x = BN\_bin2bn((void \*) ecdsa\_key->Qx, 32, NULL); BIGNUM\* y = BN\_bin2bn((void \*) ecdsa\_key->Qy, 32, NULL); BIGNUM\* d = BN\_bin2bn((void \*) ecdsa\_key->d, 32, NULL); EC\_KEY\_set\_private\_key(eckey, d); EC\_KEY\_set\_public\_key\_affine\_coordinates(eckey, x, y); uint32\_t au32HeadHash\[8\]; unsigned int u32Size = sizeof(FW\_INFO\_T) - sizeof(ECDSA\_SIGN\_T); sha256((unsigned char \*) pFwInfo, u32Size, (unsigned char \*) au32HeadHash); ECDSA\_SIG \*signature = ECDSA\_do\_sign((unsigned char \*) au32HeadHash, u32Size, eckey); if (NULL == signature) { printf("Failed to generate EC Signature\\n"); } else { if (ECDSA\_do\_verify((unsigned char \*) au32HeadHash, u32Size, signature, eckey) != 1) { printf("Failed to verify EC Signature\\n"); } else { BIGNUM \*r, \*s; #if OPENSSL\_VERSION\_NUMBER >= 0x10100000L ECDSA\_SIG\_get0(signature, &r, &s); #else r = signature->r; s = signature->s; #endif // printf("d: %s\\n", BN\_bn2hex(d)); // printf("X: %s\\n", BN\_bn2hex(x)); // printf("Y: %s\\n", BN\_bn2hex(y)); // printf("R: %s\\n", BN\_bn2hex(r)); // printf("S: %s\\n", BN\_bn2hex(s)); BN\_bn2bin(r, (unsigned char \*) pFwInfo->sign.au32R); BN\_bn2bin(s, (unsigned char \*) pFwInfo->sign.au32S); BN\_free(x); BN\_free(y); BN\_free(d); BN\_free(r); BN\_free(s); } } ret = 0; exit: EC\_GROUP\_free(ecgroup); EC\_KEY\_free(eckey); return ret; } int getFileSize(const char \*filename) { int size = -1; FILE\* fd = fopen(filename, "rb"); if (!fd) { printf("Failed to open file: %s\\n",filename); return -1; } /\* Get file size \*/ if (fseek(fd, 0, SEEK\_END) != 0) { printf("Unable to get '%s' file size\\n", filename); goto exit; } size = ftell(fd); if (size < 0) { printf("Stream doesn't support '%s' file positioning\\n", filename); goto exit; } // rewind(fd); exit: fclose(fd); return size; } #ifdef CONFIG\_BOOTLOADER2 /\*\* \* @brief printFwInfo - . \* \* @param pFwInfo \[in/out\] A pointer to jar file name string. \* \* @returns 0 on success or error code on failure. \*/ void printFwInfo(FW\_INFO\_T \*pFwInfo) { printf("%s", header); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->pubkey.au32Key0\[0\], pFwInfo->pubkey.au32Key0\[1\], pFwInfo->pubkey.au32Key0\[2\], pFwInfo->pubkey.au32Key0\[3\]); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->pubkey.au32Key0\[4\], pFwInfo->pubkey.au32Key0\[5\], pFwInfo->pubkey.au32Key0\[6\], pFwInfo->pubkey.au32Key0\[7\]); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->pubkey.au32Key1\[0\], pFwInfo->pubkey.au32Key1\[1\], pFwInfo->pubkey.au32Key1\[2\], pFwInfo->pubkey.au32Key1\[3\]); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->pubkey.au32Key1\[4\], pFwInfo->pubkey.au32Key1\[5\], pFwInfo->pubkey.au32Key1\[6\], pFwInfo->pubkey.au32Key1\[7\]); printf("\\n"); printf( " /\* metadata data - includes Mode selection, F/W region and Extend info \*/\\n"); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x, // 0x00020000: NuBL32 F/W base\\n", pFwInfo->mData.u32AuthCFGs, pFwInfo->mData.u32FwRegionLen, pFwInfo->mData.au32FwRegion\[0\].u32Start, pFwInfo->mData.au32FwRegion\[0\].u32Size); printf( " 0x%08x, 0x%08x, 0x%08x, 0x%08x, // 0x20180824/0x00001111/0x22223333: Extend info\\n", pFwInfo->mData.u32ExtInfoLen, pFwInfo->mData.au32ExtInfo\[0\], pFwInfo->mData.au32ExtInfo\[1\], pFwInfo->mData.au32ExtInfo\[2\]); printf("\\n"); printf(" /\* FW hash - 32-bytes (256-bits) \*/\\n"); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->au32FwHash\[0\], pFwInfo->au32FwHash\[1\], pFwInfo->au32FwHash\[2\], pFwInfo->au32FwHash\[3\]); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->au32FwHash\[4\], pFwInfo->au32FwHash\[5\], pFwInfo->au32FwHash\[6\], pFwInfo->au32FwHash\[7\]); printf("\\n"); printf(" /\* FwInfo signature - 64-bytes (256-bits R + 256-bits S) \*/\\n"); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->sign.au32R\[0\], pFwInfo->sign.au32R\[1\], pFwInfo->sign.au32R\[2\], pFwInfo->sign.au32R\[3\]); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->sign.au32R\[4\], pFwInfo->sign.au32R\[5\], pFwInfo->sign.au32R\[6\], pFwInfo->sign.au32R\[7\]); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->sign.au32S\[0\], pFwInfo->sign.au32S\[1\], pFwInfo->sign.au32S\[2\], pFwInfo->sign.au32S\[3\]); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->sign.au32S\[4\], pFwInfo->sign.au32S\[5\], pFwInfo->sign.au32S\[6\], pFwInfo->sign.au32S\[7\]); printf("};\\n"); } #endif /\*\* \* @brief main - entry point of mTower: secure world. \* \* @param None \* \* @returns None (function is not supposed to return) \*/ int main(int argc, char\*\* argv) { unsigned char \*buf = NULL; int ret = -1; FILE\* fd; int img\_size = 0; #ifdef CONFIG\_BOOTLOADER2 ECC\_KEY\_T ecdsa\_key; FW\_INFO\_T pFwInfo; pFwInfo.mData.u32AuthCFGs = 0x00000001; pFwInfo.mData.u32FwRegionLen = 0x00000008; pFwInfo.mData.au32FwRegion\[0\].u32Start = CONFIG\_START\_ADDRESS\_BL32; pFwInfo.mData.au32FwRegion\[0\].u32Size = 0x00000000; pFwInfo.mData.u32ExtInfoLen = 0x0000000c; pFwInfo.mData.au32ExtInfo\[0\] = DATE\_COMPILE; pFwInfo.mData.au32ExtInfo\[1\] = 0x00001111; pFwInfo.mData.au32ExtInfo\[2\] = 0x22223333; #endif if (argc != 7) { printf("Not enough input parameters for %s\\n", argv\[0\]); return -1; } buf = malloc(1024 \* 256); if (buf == NULL) { printf("Allocation memory error\\n"); goto exit; } memset((void \*) buf, 0, 1024 \* 256); //////////////////////////////////////////////////////////////// // mtower\_s.bin //////////////////////////////////////////////////////////////// #ifdef CONFIG\_BOOTLOADER2 int32\_t size\_bl2; if((size\_bl2 = getFileSize(argv\[1\])) < 0) { return -1; } fd = fopen(argv\[1\], "rb"); if (!fd) { printf("Failed to open file: %s\\n",argv\[1\]); return -1; } if (fread(buf, 1, (size\_t) size\_bl2, fd) != (size\_t) size\_bl2) { free(buf); goto exit; } fclose(fd); #endif #ifdef CONFIG\_BOOTLOADER32 int32\_t size\_bl32; if((size\_bl32 = getFileSize(argv\[2\])) < 0) { return -1; } fd = fopen(argv\[2\], "rb"); if (!fd) { printf("Failed to open file: %s\\n",argv\[2\]); goto exit; } if (fread(buf + CONFIG\_START\_ADDRESS\_BL32, 1, (size\_t) size\_bl32, fd) != (size\_t) size\_bl32) { free(buf); goto exit; } fclose(fd); img\_size = size\_bl32; #endif #ifdef CONFIG\_BOOTLOADER2 sha256(buf + CONFIG\_START\_ADDRESS\_BL32, size\_bl32, (unsigned char \*) &pFwInfo.au32FwHash); pFwInfo.mData.au32FwRegion\[0\].u32Size = size\_bl32; fd = fopen(argv\[4\], "rb"); if (!fd) { printf("Failed to open file: %s\\n",argv\[4\]); goto exit; } if (fread((unsigned char \*) &ecdsa\_key, sizeof(char), sizeof(ECC\_KEY\_T), fd) != sizeof(ECC\_KEY\_T)) { return -1; } fclose(fd); sign\_pFwInfo(&pFwInfo, &ecdsa\_key); memcpy(buf + 0x00038000, (unsigned char \*) &pFwInfo, sizeof(FW\_INFO\_T)); img\_size = 0x00038000 + sizeof(FW\_INFO\_T); #endif fd = fopen(argv\[3\], "wb"); if (!fd) { printf("Failed to open file: %s\\n",argv\[3\]); goto exit; } if (fwrite(buf, sizeof(char), (size\_t) img\_size, fd) != (size\_t) img\_size) { free(buf); goto exit; } #ifdef CONFIG\_BOOTLOADER2 printf("\\n\\tSecure firmware info\\n"); printFwInfo(&pFwInfo); #endif //////////////////////////////////////////////////////////////// // mtower\_ns.bin //////////////////////////////////////////////////////////////// #ifdef CONFIG\_BOOTLOADER33 memset((void \*) buf, 0, 1024 \* 256); int32\_t size\_bl33; if((size\_bl33 = getFileSize(argv\[5\])) < 0) { return -1; } fd = fopen(argv\[5\], "rb"); if (!fd) { printf("Failed to open file: %s\\n",argv\[5\]); goto exit; } if (fread(buf, 1, (size\_t) size\_bl33, fd) != (size\_t) size\_bl33) { goto exit; } fclose(fd); img\_size = size\_bl33; #ifdef CONFIG\_BOOTLOADER2 sha256(buf, size\_bl33, (unsigned char \*) &pFwInfo.au32FwHash); pFwInfo.mData.au32FwRegion\[0\].u32Start = CONFIG\_START\_ADDRESS\_BL33; pFwInfo.mData.au32FwRegion\[0\].u32Size = size\_bl33; sign\_pFwInfo(&pFwInfo, &ecdsa\_key); memcpy(buf + BL33\_METADATA\_ADDRESS, (unsigned char \*) &pFwInfo, sizeof(FW\_INFO\_T)); img\_size = BL33\_METADATA\_ADDRESS + sizeof(FW\_INFO\_T); #endif fd = fopen(argv\[6\], "wb"); if (!fd) { printf("Failed to open file: %s\\n",argv\[6\]); goto exit; } if (fwrite(buf, sizeof(char), (size\_t) img\_size, fd) != (size\_t) img\_size) { goto exit; } #endif ret = 0; exit: free(buf); fclose(fd); #ifdef CONFIG\_BOOTLOADER2 printf("\\n\\tNon-secure firmware info\\n"); printFwInfo(&pFwInfo); #endif return ret; }

CVE-2022-39830: mTower/fwinfogen.c at 18f4b592a8a973ce5972f4e2658ea0f6e3686284 · Samsung/mTower

South Korean chaebol Samsung on Friday said it experienced a cybersecurity incident that resulted in the unauthorized access of some customer information, the second time this year it has reported such a breach.
"In late July 2022, an unauthorized third-party acquired information from some of Samsung's U.S. systems," the company disclosed in a notice. "On or around August 4, 2022, we determined

South Korean chaebol Samsung on Friday said it experienced a cybersecurity incident that resulted in the unauthorized access of some customer information, the second time this year it has reported such a breach.

"In late July 2022, an unauthorized third-party acquired information from some of Samsung's U.S. systems," the company disclosed in a notice. "On or around August 4, 2022, we determined through our ongoing investigation that personal information of certain customers was affected."

Samsung said the infiltration enabled hackers to access certain data such as names, contact and demographic information, dates of birth, and product registration details.

It stressed that the incident did not affect users' Social Security numbers or credit and debit card numbers, but noted the information leaked for each relevant customer may vary.

The collected information is necessary to help the company deliver the best experience with its products and services, it added. It's unclear how many customers were affected or who was behind the hack, and why it took almost a month for the company to divulge the breach.

Aside from notifying users about the security event, Samsung stated it has taken steps to secure the impacted systems and engaged an outside cybersecurity firm to lead the response efforts.

Furthermore, it's urging users to be on guard against potential social engineering attempts, avoid clicking on links or opening attachments from unknown senders, and review their accounts for potentially suspicious activity.

The announcement comes less than six months after Samsung confirmed a similar incident. In March 2022, it revealed that internal data, including the source code related to its Galaxy smartphones, was leaked in the aftermath of an attack staged by the LAPSUS$ extortion gang.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Samsung Admits Data Breach that Exposed Details of Some U.S. Customers

wolfSSL through 5.0.0 allows an attacker to cause a denial of service and infinite loop in the client component by sending crafted traffic from a Machine-in-the-Middle (MITM) position. The root cause is that the client module accepts TLS messages that normally are only sent to TLS servers.

CVE-2021-44718: wolfSSL Security Vulnerabilities | wolfSSL Embedded SSL/TLS Library

Samsung Electronics mTower v0.3.0 and earlier was discovered to contain a NULL pointer dereference via the function TEE_GetObjectInfo1.

Tag

#samsung