sign_pFwInfo in Samsung mTower through 0.3.0 has a missing check on the return value of EC_KEY_set_private_key, leading to a denial of service.

**NAME**

EVP\_EC\_gen, EC\_KEY\_get\_method, EC\_KEY\_set\_method, EC\_KEY\_new\_ex, EC\_KEY\_new, EC\_KEY\_get\_flags, EC\_KEY\_set\_flags, EC\_KEY\_clear\_flags, EC\_KEY\_new\_by\_curve\_name\_ex, EC\_KEY\_new\_by\_curve\_name, EC\_KEY\_free, EC\_KEY\_copy, EC\_KEY\_dup, EC\_KEY\_up\_ref, EC\_KEY\_get0\_engine, EC\_KEY\_get0\_group, EC\_KEY\_set\_group, EC\_KEY\_get0\_private\_key, EC\_KEY\_set\_private\_key, EC\_KEY\_get0\_public\_key, EC\_KEY\_set\_public\_key, EC\_KEY\_get\_conv\_form, EC\_KEY\_set\_conv\_form, EC\_KEY\_set\_asn1\_flag, EC\_KEY\_decoded\_from\_explicit\_params, EC\_KEY\_precompute\_mult, EC\_KEY\_generate\_key, EC\_KEY\_check\_key, EC\_KEY\_set\_public\_key\_affine\_coordinates, EC\_KEY\_oct2key, EC\_KEY\_key2buf, EC\_KEY\_oct2priv, EC\_KEY\_priv2oct, EC\_KEY\_priv2buf - Functions for creating, destroying and manipulating EC\_KEY objects

**SYNOPSIS**

    #include <openssl/ec.h>
    
    EVP_PKEY *EVP_EC_gen(const char *curve);

The following functions have been deprecated since OpenSSL 3.0, and can be hidden entirely by defining **OPENSSL\_API\_COMPAT** with a suitable version value, see openssl\_user\_macros(7):

    EC_KEY *EC_KEY_new_ex(OSSL_LIB_CTX *ctx, const char *propq);
    EC_KEY *EC_KEY_new(void);
    int EC_KEY_get_flags(const EC_KEY *key);
    void EC_KEY_set_flags(EC_KEY *key, int flags);
    void EC_KEY_clear_flags(EC_KEY *key, int flags);
    EC_KEY *EC_KEY_new_by_curve_name_ex(OSSL_LIB_CTX *ctx, const char *propq,
                                        int nid);
    EC_KEY *EC_KEY_new_by_curve_name(int nid);
    void EC_KEY_free(EC_KEY *key);
    EC_KEY *EC_KEY_copy(EC_KEY *dst, const EC_KEY *src);
    EC_KEY *EC_KEY_dup(const EC_KEY *src);
    int EC_KEY_up_ref(EC_KEY *key);
    ENGINE *EC_KEY_get0_engine(const EC_KEY *eckey);
    const EC_GROUP *EC_KEY_get0_group(const EC_KEY *key);
    int EC_KEY_set_group(EC_KEY *key, const EC_GROUP *group);
    const BIGNUM *EC_KEY_get0_private_key(const EC_KEY *key);
    int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *priv_key);
    const EC_POINT *EC_KEY_get0_public_key(const EC_KEY *key);
    int EC_KEY_set_public_key(EC_KEY *key, const EC_POINT *pub);
    point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *key);
    void EC_KEY_set_conv_form(EC_KEY *eckey, point_conversion_form_t cform);
    void EC_KEY_set_asn1_flag(EC_KEY *eckey, int asn1_flag);
    int EC_KEY_decoded_from_explicit_params(const EC_KEY *key);
    int EC_KEY_generate_key(EC_KEY *key);
    int EC_KEY_check_key(const EC_KEY *key);
    int EC_KEY_set_public_key_affine_coordinates(EC_KEY *key, BIGNUM *x, BIGNUM *y);
    const EC_KEY_METHOD *EC_KEY_get_method(const EC_KEY *key);
    int EC_KEY_set_method(EC_KEY *key, const EC_KEY_METHOD *meth);
    
    int EC_KEY_oct2key(EC_KEY *eckey, const unsigned char *buf, size_t len, BN_CTX *ctx);
    size_t EC_KEY_key2buf(const EC_KEY *eckey, point_conversion_form_t form,
                          unsigned char **pbuf, BN_CTX *ctx);
    
    int EC_KEY_oct2priv(EC_KEY *eckey, const unsigned char *buf, size_t len);
    size_t EC_KEY_priv2oct(const EC_KEY *eckey, unsigned char *buf, size_t len);
    
    size_t EC_KEY_priv2buf(const EC_KEY *eckey, unsigned char **pbuf);
    int EC_KEY_precompute_mult(EC_KEY *key, BN_CTX *ctx);

**DESCRIPTION**

EVP\_EC\_gen() generates a new EC key pair on the given _curve_.

All of the functions described below are deprecated. Applications should instead use EVP\_EC\_gen(), EVP\_PKEY\_Q\_keygen(3), or EVP\_PKEY\_keygen\_init(3) and EVP\_PKEY\_keygen(3).

An EC\_KEY represents a public key and, optionally, the associated private key. A new EC\_KEY with no associated curve can be constructed by calling EC\_KEY\_new\_ex() and specifying the associated library context in _ctx_ (see OSSL\_LIB\_CTX(3)) and property query string _propq_. The _ctx_ parameter may be NULL in which case the default library context is used. The reference count for the newly created EC\_KEY is initially set to 1. A curve can be associated with the EC\_KEY by calling EC\_KEY\_set\_group().

EC\_KEY\_new() is the same as EC\_KEY\_new\_ex() except that the default library context is always used.

Alternatively a new EC\_KEY can be constructed by calling EC\_KEY\_new\_by\_curve\_name\_ex() and supplying the nid of the associated curve, the library context to be used _ctx_ (see OSSL\_LIB\_CTX(3)) and any property query string _propq_. The _ctx_ parameter may be NULL in which case the default library context is used. The _propq_ value may also be NULL. See EC\_GROUP\_new(3) for a description of curve names. This function simply wraps calls to EC\_KEY\_new\_ex() and EC\_GROUP\_new\_by\_curve\_name\_ex().

EC\_KEY\_new\_by\_curve\_name() is the same as EC\_KEY\_new\_by\_curve\_name\_ex() except that the default library context is always used and a NULL property query string.

Calling EC\_KEY\_free() decrements the reference count for the EC\_KEY object, and if it has dropped to zero then frees the memory associated with it. If _key_ is NULL nothing is done.

EC\_KEY\_copy() copies the contents of the EC\_KEY in _src_ into _dest_.

EC\_KEY\_dup() creates a new EC\_KEY object and copies _ec\_key_ into it.

EC\_KEY\_up\_ref() increments the reference count associated with the EC\_KEY object.

EC\_KEY\_get0\_engine() returns a handle to the ENGINE that has been set for this EC\_KEY object.

EC\_KEY\_generate\_key() generates a new public and private key for the supplied _eckey_ object. _eckey_ must have an EC\_GROUP object associated with it before calling this function. The private key is a random integer (0 < priv\_key < order, where _order_ is the order of the EC\_GROUP object). The public key is an EC\_POINT on the curve calculated by multiplying the generator for the curve by the private key.

EC\_KEY\_check\_key() performs various sanity checks on the EC\_KEY object to confirm that it is valid.

EC\_KEY\_set\_public\_key\_affine\_coordinates() sets the public key for _key_ based on its affine co-ordinates; i.e., it constructs an EC\_POINT object based on the supplied _x_ and _y_ values and sets the public key to be this EC\_POINT. It also performs certain sanity checks on the key to confirm that it is valid.

The functions EC\_KEY\_get0\_group(), EC\_KEY\_set\_group(), EC\_KEY\_get0\_private\_key(), EC\_KEY\_set\_private\_key(), EC\_KEY\_get0\_public\_key(), and EC\_KEY\_set\_public\_key() get and set the EC\_GROUP object, the private key, and the EC\_POINT public key for the **key** respectively. The function EC\_KEY\_set\_private\_key() accepts NULL as the priv\_key argument to securely clear the private key component from the EC\_KEY.

The functions EC\_KEY\_get\_conv\_form() and EC\_KEY\_set\_conv\_form() get and set the point\_conversion\_form for the _key_. For a description of point\_conversion\_forms please see EC\_POINT\_new(3).

EC\_KEY\_set\_flags() sets the flags in the _flags_ parameter on the EC\_KEY object. Any flags that are already set are left set. The flags currently defined are EC\_FLAG\_NON\_FIPS\_ALLOW and EC\_FLAG\_FIPS\_CHECKED. In addition there is the flag EC\_FLAG\_COFACTOR\_ECDH which is specific to ECDH. EC\_KEY\_get\_flags() returns the current flags that are set for this EC\_KEY. EC\_KEY\_clear\_flags() clears the flags indicated by the _flags_ parameter; all other flags are left in their existing state.

EC\_KEY\_set\_asn1\_flag() sets the asn1\_flag on the underlying EC\_GROUP object (if set). Refer to EC\_GROUP\_copy(3) for further information on the asn1\_flag.

EC\_KEY\_decoded\_from\_explicit\_params() returns 1 if the group of the _key_ was decoded from data with explicitly encoded group parameters, -1 if the _key_ is NULL or the group parameters are missing, and 0 otherwise.

EC\_KEY\_precompute\_mult() stores multiples of the underlying EC\_GROUP generator for faster point multiplication. See also EC\_POINT\_add(3). Modern versions should instead switch to named curves which OpenSSL has hardcoded lookup tables for.

EC\_KEY\_oct2key() and EC\_KEY\_key2buf() are identical to the functions EC\_POINT\_oct2point() and EC\_POINT\_point2buf() except they use the public key EC\_POINT in _eckey_.

EC\_KEY\_oct2priv() and EC\_KEY\_priv2oct() convert between the private key component of _eckey_ and octet form. The octet form consists of the content octets of the _privateKey_ OCTET STRING in an _ECPrivateKey_ ASN.1 structure.

The function EC\_KEY\_priv2oct() must be supplied with a buffer long enough to store the octet form. The return value provides the number of octets stored. Calling the function with a NULL buffer will not perform the conversion but will just return the required buffer length.

The function EC\_KEY\_priv2buf() allocates a buffer of suitable length and writes an EC\_KEY to it in octet format. The allocated buffer is written to _\*pbuf_ and its length is returned. The caller must free up the allocated buffer with a call to OPENSSL\_free(). Since the allocated buffer value is written to _\*pbuf_ the _pbuf_ parameter **MUST NOT** be **NULL**.

EC\_KEY\_priv2buf() converts an EC\_KEY private key into an allocated buffer.

**RETURN VALUES**

EC\_KEY\_new\_ex(), EC\_KEY\_new(), EC\_KEY\_new\_by\_curve\_name\_ex(), EC\_KEY\_new\_by\_curve\_name() and EC\_KEY\_dup() return a pointer to the newly created EC\_KEY object, or NULL on error.

EC\_KEY\_get\_flags() returns the flags associated with the EC\_KEY object as an integer.

EC\_KEY\_copy() returns a pointer to the destination key, or NULL on error.

EC\_KEY\_get0\_engine() returns a pointer to an ENGINE, or NULL if it wasn't set.

EC\_KEY\_up\_ref(), EC\_KEY\_set\_group(), EC\_KEY\_set\_public\_key(), EC\_KEY\_precompute\_mult(), EC\_KEY\_generate\_key(), EC\_KEY\_check\_key(), EC\_KEY\_set\_public\_key\_affine\_coordinates(), EC\_KEY\_oct2key() and EC\_KEY\_oct2priv() return 1 on success or 0 on error.

EC\_KEY\_set\_private\_key() returns 1 on success or 0 on error except when the priv\_key argument is NULL, in that case it returns 0, for legacy compatibility, and should not be treated as an error.

EC\_KEY\_get0\_group() returns the EC\_GROUP associated with the EC\_KEY.

EC\_KEY\_get0\_private\_key() returns the private key associated with the EC\_KEY.

EC\_KEY\_get\_conv\_form() return the point\_conversion\_form for the EC\_KEY.

EC\_KEY\_key2buf(), EC\_KEY\_priv2oct() and EC\_KEY\_priv2buf() return the length of the buffer or 0 on error.

**SEE ALSO**

EVP\_PKEY\_Q\_keygen(3) crypto(7), EC\_GROUP\_new(3), EC\_GROUP\_copy(3), EC\_POINT\_new(3), EC\_POINT\_add(3), EC\_GFp\_simple\_method(3), d2i\_ECPKParameters(3), OSSL\_LIB\_CTX(3)

**HISTORY**

EVP\_EC\_gen() was added in OpenSSL 3.0. All other functions described here were deprecated in OpenSSL 3.0. For replacement see EVP\_PKEY-EC(7).

**COPYRIGHT**

Copyright 2013-2021 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at https://www.openssl.org/source/license.html.

CVE-2022-39828: /docs/manmaster/man3/EC_KEY_set_private_key.html

sign_pFwInfo in Samsung mTower through 0.3.0 has a missing check on the return value of EC_KEY_set_public_key_affine_coordinates, leading to a denial of service.

/\*\* \* @file tools/fwinfogen.c \* @brief . \* \* @copyright Copyright (c) 2019 Samsung Electronics Co., Ltd. All Rights Reserved. \* @author Taras Drozdovskyi t.drozdovsky@samsung.com \* \* Licensed under the Apache License, Version 2.0 (the "License"); \* you may not use this file except in compliance with the License. \* You may obtain a copy of the License at \* \* http://www.apache.org/licenses/LICENSE-2.0 \* \* Unless required by applicable law or agreed to in writing, software \* distributed under the License is distributed on an "AS IS" BASIS, \* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. \* See the License for the specific language governing permissions and \* limitations under the License. \*/ /\* Included Files. \*/ #include <stdio.h\> #include <stdint.h\> #include <stdlib.h\> #include <string.h\> #include <openssl/sha.h\> #include <openssl/ec.h\> // for EC\_GROUP\_new\_by\_curve\_name, EC\_GROUP\_free, EC\_KEY\_new, EC\_KEY\_set\_group, EC\_KEY\_generate\_key, EC\_KEY\_free #include <openssl/ecdsa.h\> // for ECDSA\_do\_sign, ECDSA\_do\_verify #include <openssl/obj\_mac.h\> // for NID\_secp192k1 #include "config.h" //#include "version.h" /\* Pre-processor Definitions. \*/ #define BUILD\_MONTH\_IS\_JAN (\_\_DATE\_\_\[0\] == 'J' && \_\_DATE\_\_\[1\] == 'a' && \_\_DATE\_\_\[2\] == 'n') #define BUILD\_MONTH\_IS\_FEB (\_\_DATE\_\_\[0\] == 'F') #define BUILD\_MONTH\_IS\_MAR (\_\_DATE\_\_\[0\] == 'M' && \_\_DATE\_\_\[1\] == 'a' && \_\_DATE\_\_\[2\] == 'r') #define BUILD\_MONTH\_IS\_APR (\_\_DATE\_\_\[0\] == 'A' && \_\_DATE\_\_\[1\] == 'p') #define BUILD\_MONTH\_IS\_MAY (\_\_DATE\_\_\[0\] == 'M' && \_\_DATE\_\_\[1\] == 'a' && \_\_DATE\_\_\[2\] == 'y') #define BUILD\_MONTH\_IS\_JUN (\_\_DATE\_\_\[0\] == 'J' && \_\_DATE\_\_\[1\] == 'u' && \_\_DATE\_\_\[2\] == 'n') #define BUILD\_MONTH\_IS\_JUL (\_\_DATE\_\_\[0\] == 'J' && \_\_DATE\_\_\[1\] == 'u' && \_\_DATE\_\_\[2\] == 'l') #define BUILD\_MONTH\_IS\_AUG (\_\_DATE\_\_\[0\] == 'A' && \_\_DATE\_\_\[1\] == 'u') #define BUILD\_MONTH\_IS\_SEP (\_\_DATE\_\_\[0\] == 'S') #define BUILD\_MONTH\_IS\_OCT (\_\_DATE\_\_\[0\] == 'O') #define BUILD\_MONTH\_IS\_NOV (\_\_DATE\_\_\[0\] == 'N') #define BUILD\_MONTH\_IS\_DEC (\_\_DATE\_\_\[0\] == 'D') #define BUILD\_MONTH \\ ( \\ (BUILD\_MONTH\_IS\_JAN) ? 1 : \\ (BUILD\_MONTH\_IS\_FEB) ? 2 : \\ (BUILD\_MONTH\_IS\_MAR) ? 3 : \\ (BUILD\_MONTH\_IS\_APR) ? 4 : \\ (BUILD\_MONTH\_IS\_MAY) ? 5 : \\ (BUILD\_MONTH\_IS\_JUN) ? 6 : \\ (BUILD\_MONTH\_IS\_JUL) ? 7 : \\ (BUILD\_MONTH\_IS\_AUG) ? 8 : \\ (BUILD\_MONTH\_IS\_SEP) ? 9 : \\ (BUILD\_MONTH\_IS\_OCT) ? 16 : \\ (BUILD\_MONTH\_IS\_NOV) ? 17 : \\ (BUILD\_MONTH\_IS\_DEC) ? 18 : \\ /\* error default \*/ 0 \\ ) #define BUILD\_DAY\_CH0 ((\_\_DATE\_\_\[4\] >= '0') ? (\_\_DATE\_\_\[4\]) : '0') #define BUILD\_DAY\_CH1 (\_\_DATE\_\_\[ 5\]) #define DATE\_COMPILE (((\_\_DATE\_\_\[7\] - '0') << 28) \\ | (((unsigned int)(\_\_DATE\_\_\[8\] - '0')) << 24) \\ | (((unsigned int)(\_\_DATE\_\_\[9\] - '0')) << 20) \\ | (((unsigned int)(\_\_DATE\_\_\[10\] - '0')) << 16) \\ | (((unsigned int)(BUILD\_MONTH)) << 8) \\ | (((unsigned int)(((\_\_DATE\_\_\[4\] >= '0') ? (\_\_DATE\_\_\[4\]) : '0') - '0')) << 4) \\ | (((unsigned int)\_\_DATE\_\_\[5\] - '0'))) #define BL33\_METADATA\_ADDRESS (0x10080000 - CONFIG\_START\_ADDRESS\_BL33 - 0x8000) /\*\* Instruction Code of "B ." \*/ /\* Private Types. \*/ /\* Any types, enums, structures or unions used by the file are defined here. \*/ /\* typedef for NonSecure callback functions \*/ /\*\* \* @details ECC public key structure \*/ typedef struct { uint32\_t au32Key0\[8\]; /\* 256-bits \*/ uint32\_t au32Key1\[8\]; /\* 256-bits \*/ }\_\_attribute\_\_((packed)) ECC\_PUBKEY\_T; /\*\* \* @details ECC ECDSA signature structure \*/ typedef struct { uint32\_t au32R\[8\]; /\* 256-bits \*/ uint32\_t au32S\[8\]; /\* 256-bits \*/ }\_\_attribute\_\_((packed)) ECDSA\_SIGN\_T; typedef struct { uint32\_t u32Start; /\* 32-bits \*/ uint32\_t u32Size; /\* 32-bits \*/ }\_\_attribute\_\_((packed)) FW\_REGION\_T; typedef struct { uint32\_t u32AuthCFGs; /\* 32-bits \*/ /\* bit\[1:0\]: Reserved bit\[2\]: 1: Info Hash includes PDID / 0: Not include PDID bit\[3\]: 1: Info Hash includes UID / 0: Not include UID bit\[4\]: 1: Info Hash inculdes UICD / 0: Not include UICD bit\[31:5\]: Reserved \*/ uint32\_t u32FwRegionLen; /\* 32-bits \*/ FW\_REGION\_T au32FwRegion\[1\]; /\* (8\*1) bytes \*/ uint32\_t u32ExtInfoLen; /\* 32-bits \*/ uint32\_t au32ExtInfo\[3\]; /\* 12-bytes \*/ }\_\_attribute\_\_((packed)) METADATA\_T; typedef struct { ECC\_PUBKEY\_T pubkey; /\* 64-bytes (256-bits + 256-bits) \*/ METADATA\_T mData; /\* includes authenticate configuration, F/W regions and extend info \*/ uint32\_t au32FwHash\[8\]; /\* 32-bytes (256-bits) \*/ ECDSA\_SIGN\_T sign; /\* 64-bytes (256-bits R + 256-bits S) \*/ }\_\_attribute\_\_((packed)) FW\_INFO\_T; /\*\* \* @details ECC ECDSA key structure \*/ typedef struct { uint8\_t Qx\[32\]; /\* 256-bits \*/ uint8\_t Qy\[32\]; /\* 256-bits \*/ uint8\_t d\[32\]; /\* 256-bits \*/ }\_\_attribute\_\_((packed)) ECC\_KEY\_T; /\* Private Function Prototypes. \*/ /\* Prototypes of all static functions in the file are provided here. \*/ /\* Private Data. \*/ /\* All static data definitions appear here. \*/ /\* Public Data. \*/ /\* All data definitions with global scope appear here. \*/ const char header\[\] = "\\n" "const uint32\_t g\_InitialFWinfo\[\] =\\n" "{\\n" " /\* public key - 64-bytes (256-bits + 256-bits) \*/\\n"; /\* Public Function Prototypes \*/ /\* Private Functions. \*/ void sha256(unsigned char \*data, unsigned int data\_len, unsigned char \*hash) { SHA256\_CTX sha256; SHA256\_Init(&sha256); SHA256\_Update(&sha256, data, data\_len); SHA256\_Final(hash, &sha256); } static int sign\_pFwInfo(FW\_INFO\_T \*pFwInfo, ECC\_KEY\_T \*ecdsa\_key) { int ret = -1; EC\_KEY \*eckey = EC\_KEY\_new(); if (NULL == eckey) { printf("Failed to create new EC Key\\n"); return -1; } EC\_GROUP \*ecgroup = EC\_GROUP\_new\_by\_curve\_name(NID\_X9\_62\_prime256v1); if (NULL == ecgroup) { printf("Failed to create new EC Group\\n"); goto exit; } if (EC\_KEY\_set\_group(eckey, ecgroup) != 1) { printf("Failed to set group for EC Key\\n"); goto exit; } memcpy((void \*) pFwInfo->pubkey.au32Key0, (void \*) ecdsa\_key->Qx, 32); memcpy((void \*) pFwInfo->pubkey.au32Key1, (void \*) ecdsa\_key->Qy, 32); BIGNUM\* x = BN\_bin2bn((void \*) ecdsa\_key->Qx, 32, NULL); BIGNUM\* y = BN\_bin2bn((void \*) ecdsa\_key->Qy, 32, NULL); BIGNUM\* d = BN\_bin2bn((void \*) ecdsa\_key->d, 32, NULL); EC\_KEY\_set\_private\_key(eckey, d); EC\_KEY\_set\_public\_key\_affine\_coordinates(eckey, x, y); uint32\_t au32HeadHash\[8\]; unsigned int u32Size = sizeof(FW\_INFO\_T) - sizeof(ECDSA\_SIGN\_T); sha256((unsigned char \*) pFwInfo, u32Size, (unsigned char \*) au32HeadHash); ECDSA\_SIG \*signature = ECDSA\_do\_sign((unsigned char \*) au32HeadHash, u32Size, eckey); if (NULL == signature) { printf("Failed to generate EC Signature\\n"); } else { if (ECDSA\_do\_verify((unsigned char \*) au32HeadHash, u32Size, signature, eckey) != 1) { printf("Failed to verify EC Signature\\n"); } else { BIGNUM \*r, \*s; #if OPENSSL\_VERSION\_NUMBER >= 0x10100000L ECDSA\_SIG\_get0(signature, &r, &s); #else r = signature->r; s = signature->s; #endif // printf("d: %s\\n", BN\_bn2hex(d)); // printf("X: %s\\n", BN\_bn2hex(x)); // printf("Y: %s\\n", BN\_bn2hex(y)); // printf("R: %s\\n", BN\_bn2hex(r)); // printf("S: %s\\n", BN\_bn2hex(s)); BN\_bn2bin(r, (unsigned char \*) pFwInfo->sign.au32R); BN\_bn2bin(s, (unsigned char \*) pFwInfo->sign.au32S); BN\_free(x); BN\_free(y); BN\_free(d); BN\_free(r); BN\_free(s); } } ret = 0; exit: EC\_GROUP\_free(ecgroup); EC\_KEY\_free(eckey); return ret; } int getFileSize(const char \*filename) { int size = -1; FILE\* fd = fopen(filename, "rb"); if (!fd) { printf("Failed to open file: %s\\n",filename); return -1; } /\* Get file size \*/ if (fseek(fd, 0, SEEK\_END) != 0) { printf("Unable to get '%s' file size\\n", filename); goto exit; } size = ftell(fd); if (size < 0) { printf("Stream doesn't support '%s' file positioning\\n", filename); goto exit; } // rewind(fd); exit: fclose(fd); return size; } #ifdef CONFIG\_BOOTLOADER2 /\*\* \* @brief printFwInfo - . \* \* @param pFwInfo \[in/out\] A pointer to jar file name string. \* \* @returns 0 on success or error code on failure. \*/ void printFwInfo(FW\_INFO\_T \*pFwInfo) { printf("%s", header); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->pubkey.au32Key0\[0\], pFwInfo->pubkey.au32Key0\[1\], pFwInfo->pubkey.au32Key0\[2\], pFwInfo->pubkey.au32Key0\[3\]); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->pubkey.au32Key0\[4\], pFwInfo->pubkey.au32Key0\[5\], pFwInfo->pubkey.au32Key0\[6\], pFwInfo->pubkey.au32Key0\[7\]); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->pubkey.au32Key1\[0\], pFwInfo->pubkey.au32Key1\[1\], pFwInfo->pubkey.au32Key1\[2\], pFwInfo->pubkey.au32Key1\[3\]); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->pubkey.au32Key1\[4\], pFwInfo->pubkey.au32Key1\[5\], pFwInfo->pubkey.au32Key1\[6\], pFwInfo->pubkey.au32Key1\[7\]); printf("\\n"); printf( " /\* metadata data - includes Mode selection, F/W region and Extend info \*/\\n"); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x, // 0x00020000: NuBL32 F/W base\\n", pFwInfo->mData.u32AuthCFGs, pFwInfo->mData.u32FwRegionLen, pFwInfo->mData.au32FwRegion\[0\].u32Start, pFwInfo->mData.au32FwRegion\[0\].u32Size); printf( " 0x%08x, 0x%08x, 0x%08x, 0x%08x, // 0x20180824/0x00001111/0x22223333: Extend info\\n", pFwInfo->mData.u32ExtInfoLen, pFwInfo->mData.au32ExtInfo\[0\], pFwInfo->mData.au32ExtInfo\[1\], pFwInfo->mData.au32ExtInfo\[2\]); printf("\\n"); printf(" /\* FW hash - 32-bytes (256-bits) \*/\\n"); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->au32FwHash\[0\], pFwInfo->au32FwHash\[1\], pFwInfo->au32FwHash\[2\], pFwInfo->au32FwHash\[3\]); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->au32FwHash\[4\], pFwInfo->au32FwHash\[5\], pFwInfo->au32FwHash\[6\], pFwInfo->au32FwHash\[7\]); printf("\\n"); printf(" /\* FwInfo signature - 64-bytes (256-bits R + 256-bits S) \*/\\n"); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->sign.au32R\[0\], pFwInfo->sign.au32R\[1\], pFwInfo->sign.au32R\[2\], pFwInfo->sign.au32R\[3\]); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->sign.au32R\[4\], pFwInfo->sign.au32R\[5\], pFwInfo->sign.au32R\[6\], pFwInfo->sign.au32R\[7\]); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->sign.au32S\[0\], pFwInfo->sign.au32S\[1\], pFwInfo->sign.au32S\[2\], pFwInfo->sign.au32S\[3\]); printf(" 0x%08x, 0x%08x, 0x%08x, 0x%08x,\\n", pFwInfo->sign.au32S\[4\], pFwInfo->sign.au32S\[5\], pFwInfo->sign.au32S\[6\], pFwInfo->sign.au32S\[7\]); printf("};\\n"); } #endif /\*\* \* @brief main - entry point of mTower: secure world. \* \* @param None \* \* @returns None (function is not supposed to return) \*/ int main(int argc, char\*\* argv) { unsigned char \*buf = NULL; int ret = -1; FILE\* fd; int img\_size = 0; #ifdef CONFIG\_BOOTLOADER2 ECC\_KEY\_T ecdsa\_key; FW\_INFO\_T pFwInfo; pFwInfo.mData.u32AuthCFGs = 0x00000001; pFwInfo.mData.u32FwRegionLen = 0x00000008; pFwInfo.mData.au32FwRegion\[0\].u32Start = CONFIG\_START\_ADDRESS\_BL32; pFwInfo.mData.au32FwRegion\[0\].u32Size = 0x00000000; pFwInfo.mData.u32ExtInfoLen = 0x0000000c; pFwInfo.mData.au32ExtInfo\[0\] = DATE\_COMPILE; pFwInfo.mData.au32ExtInfo\[1\] = 0x00001111; pFwInfo.mData.au32ExtInfo\[2\] = 0x22223333; #endif if (argc != 7) { printf("Not enough input parameters for %s\\n", argv\[0\]); return -1; } buf = malloc(1024 \* 256); if (buf == NULL) { printf("Allocation memory error\\n"); goto exit; } memset((void \*) buf, 0, 1024 \* 256); //////////////////////////////////////////////////////////////// // mtower\_s.bin //////////////////////////////////////////////////////////////// #ifdef CONFIG\_BOOTLOADER2 int32\_t size\_bl2; if((size\_bl2 = getFileSize(argv\[1\])) < 0) { return -1; } fd = fopen(argv\[1\], "rb"); if (!fd) { printf("Failed to open file: %s\\n",argv\[1\]); return -1; } if (fread(buf, 1, (size\_t) size\_bl2, fd) != (size\_t) size\_bl2) { free(buf); goto exit; } fclose(fd); #endif #ifdef CONFIG\_BOOTLOADER32 int32\_t size\_bl32; if((size\_bl32 = getFileSize(argv\[2\])) < 0) { return -1; } fd = fopen(argv\[2\], "rb"); if (!fd) { printf("Failed to open file: %s\\n",argv\[2\]); goto exit; } if (fread(buf + CONFIG\_START\_ADDRESS\_BL32, 1, (size\_t) size\_bl32, fd) != (size\_t) size\_bl32) { free(buf); goto exit; } fclose(fd); img\_size = size\_bl32; #endif #ifdef CONFIG\_BOOTLOADER2 sha256(buf + CONFIG\_START\_ADDRESS\_BL32, size\_bl32, (unsigned char \*) &pFwInfo.au32FwHash); pFwInfo.mData.au32FwRegion\[0\].u32Size = size\_bl32; fd = fopen(argv\[4\], "rb"); if (!fd) { printf("Failed to open file: %s\\n",argv\[4\]); goto exit; } if (fread((unsigned char \*) &ecdsa\_key, sizeof(char), sizeof(ECC\_KEY\_T), fd) != sizeof(ECC\_KEY\_T)) { return -1; } fclose(fd); sign\_pFwInfo(&pFwInfo, &ecdsa\_key); memcpy(buf + 0x00038000, (unsigned char \*) &pFwInfo, sizeof(FW\_INFO\_T)); img\_size = 0x00038000 + sizeof(FW\_INFO\_T); #endif fd = fopen(argv\[3\], "wb"); if (!fd) { printf("Failed to open file: %s\\n",argv\[3\]); goto exit; } if (fwrite(buf, sizeof(char), (size\_t) img\_size, fd) != (size\_t) img\_size) { free(buf); goto exit; } #ifdef CONFIG\_BOOTLOADER2 printf("\\n\\tSecure firmware info\\n"); printFwInfo(&pFwInfo); #endif //////////////////////////////////////////////////////////////// // mtower\_ns.bin //////////////////////////////////////////////////////////////// #ifdef CONFIG\_BOOTLOADER33 memset((void \*) buf, 0, 1024 \* 256); int32\_t size\_bl33; if((size\_bl33 = getFileSize(argv\[5\])) < 0) { return -1; } fd = fopen(argv\[5\], "rb"); if (!fd) { printf("Failed to open file: %s\\n",argv\[5\]); goto exit; } if (fread(buf, 1, (size\_t) size\_bl33, fd) != (size\_t) size\_bl33) { goto exit; } fclose(fd); img\_size = size\_bl33; #ifdef CONFIG\_BOOTLOADER2 sha256(buf, size\_bl33, (unsigned char \*) &pFwInfo.au32FwHash); pFwInfo.mData.au32FwRegion\[0\].u32Start = CONFIG\_START\_ADDRESS\_BL33; pFwInfo.mData.au32FwRegion\[0\].u32Size = size\_bl33; sign\_pFwInfo(&pFwInfo, &ecdsa\_key); memcpy(buf + BL33\_METADATA\_ADDRESS, (unsigned char \*) &pFwInfo, sizeof(FW\_INFO\_T)); img\_size = BL33\_METADATA\_ADDRESS + sizeof(FW\_INFO\_T); #endif fd = fopen(argv\[6\], "wb"); if (!fd) { printf("Failed to open file: %s\\n",argv\[6\]); goto exit; } if (fwrite(buf, sizeof(char), (size\_t) img\_size, fd) != (size\_t) img\_size) { goto exit; } #endif ret = 0; exit: free(buf); fclose(fd); #ifdef CONFIG\_BOOTLOADER2 printf("\\n\\tNon-secure firmware info\\n"); printFwInfo(&pFwInfo); #endif return ret; }

CVE-2022-39830: mTower/fwinfogen.c at 18f4b592a8a973ce5972f4e2658ea0f6e3686284 · Samsung/mTower

South Korean chaebol Samsung on Friday said it experienced a cybersecurity incident that resulted in the unauthorized access of some customer information, the second time this year it has reported such a breach.
"In late July 2022, an unauthorized third-party acquired information from some of Samsung's U.S. systems," the company disclosed in a notice. "On or around August 4, 2022, we determined

South Korean chaebol Samsung on Friday said it experienced a cybersecurity incident that resulted in the unauthorized access of some customer information, the second time this year it has reported such a breach.

"In late July 2022, an unauthorized third-party acquired information from some of Samsung's U.S. systems," the company disclosed in a notice. "On or around August 4, 2022, we determined through our ongoing investigation that personal information of certain customers was affected."

Samsung said the infiltration enabled hackers to access certain data such as names, contact and demographic information, dates of birth, and product registration details.

It stressed that the incident did not affect users' Social Security numbers or credit and debit card numbers, but noted the information leaked for each relevant customer may vary.

The collected information is necessary to help the company deliver the best experience with its products and services, it added. It's unclear how many customers were affected or who was behind the hack, and why it took almost a month for the company to divulge the breach.

Aside from notifying users about the security event, Samsung stated it has taken steps to secure the impacted systems and engaged an outside cybersecurity firm to lead the response efforts.

Furthermore, it's urging users to be on guard against potential social engineering attempts, avoid clicking on links or opening attachments from unknown senders, and review their accounts for potentially suspicious activity.

The announcement comes less than six months after Samsung confirmed a similar incident. In March 2022, it revealed that internal data, including the source code related to its Galaxy smartphones, was leaked in the aftermath of an attack staged by the LAPSUS$ extortion gang.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Samsung Admits Data Breach that Exposed Details of Some U.S. Customers

wolfSSL through 5.0.0 allows an attacker to cause a denial of service and infinite loop in the client component by sending crafted traffic from a Machine-in-the-Middle (MITM) position. The root cause is that the client module accepts TLS messages that normally are only sent to TLS servers.

CVE-2021-44718: wolfSSL Security Vulnerabilities | wolfSSL Embedded SSL/TLS Library

Samsung Electronics mTower v0.3.0 and earlier was discovered to contain a NULL pointer dereference via the function TEE_GetObjectInfo1.

CVE-2022-36622: mTower/tee_svc.c at 18f4b592a8a973ce5972f4e2658ea0f6e3686284 · Samsung/mTower

Samsung Electronics mTower v0.3.0 and earlier was discovered to contain a NULL pointer dereference via the function TEE_AllocateTransientObject.

// SPDX-License-Identifier: BSD-2-Clause /\* \* Copyright (c) 2014, STMicroelectronics International N.V. \* All rights reserved. \* \* Redistribution and use in source and binary forms, with or without \* modification, are permitted provided that the following conditions are met: \* \* 1. Redistributions of source code must retain the above copyright notice, \* this list of conditions and the following disclaimer. \* \* 2. Redistributions in binary form must reproduce the above copyright notice, \* this list of conditions and the following disclaimer in the documentation \* and/or other materials provided with the distribution. \* \* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" \* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE \* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE \* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE \* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR \* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF \* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS \* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN \* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) \* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE \* POSSIBILITY OF SUCH DAMAGE. \*/ #include <stdlib.h\> #include <string.h\> #include <tee\_api.h\> #include <utee\_syscalls.h\> //#include "tee\_api\_private.h" #include "utee\_types.h" #define TEE\_USAGE\_DEFAULT 0xffffffff #define TEE\_ATTR\_BIT\_VALUE (1 << 29) #define TEE\_ATTR\_BIT\_PROTECTED (1 << 28) void \_\_utee\_from\_attr(struct utee\_attribute \*ua, const TEE\_Attribute \*attrs, uint32\_t attr\_count) { size\_t n; for (n = 0; n < attr\_count; n++) { ua\[n\].attribute\_id = attrs\[n\].attributeID; if (attrs\[n\].attributeID & TEE\_ATTR\_BIT\_VALUE) { ua\[n\].a = attrs\[n\].content.value.a; ua\[n\].b = attrs\[n\].content.value.b; } else { ua\[n\].a = (uintptr\_t)attrs\[n\].content.ref.buffer; ua\[n\].b = attrs\[n\].content.ref.length; } } } /\* Data and Key Storage API - Generic Object Functions \*/ /\* \* Use of this function is deprecated \* new code SHOULD use the TEE\_GetObjectInfo1 function instead \* These functions will be removed at some future major revision of \* this specification \*/ void TEE\_GetObjectInfo(TEE\_ObjectHandle object, TEE\_ObjectInfo \*objectInfo) { TEE\_Result res; res = utee\_cryp\_obj\_get\_info((unsigned long)object, objectInfo); if (res != TEE\_SUCCESS) TEE\_Panic(res); if (objectInfo->objectType == TEE\_TYPE\_CORRUPTED\_OBJECT) { objectInfo->keySize = 0; objectInfo->maxKeySize = 0; objectInfo->objectUsage = 0; objectInfo->dataSize = 0; objectInfo->dataPosition = 0; objectInfo->handleFlags = 0; } } TEE\_Result TEE\_GetObjectInfo1(TEE\_ObjectHandle object, TEE\_ObjectInfo \*objectInfo) { TEE\_Result res; res = utee\_cryp\_obj\_get\_info((unsigned long)object, objectInfo); if (res != TEE\_SUCCESS && res != TEE\_ERROR\_CORRUPT\_OBJECT && res != TEE\_ERROR\_STORAGE\_NOT\_AVAILABLE) TEE\_Panic(res); return res; } /\* \* Use of this function is deprecated \* new code SHOULD use the TEE\_RestrictObjectUsage1 function instead \* These functions will be removed at some future major revision of \* this specification \*/ void TEE\_RestrictObjectUsage(TEE\_ObjectHandle object, uint32\_t objectUsage) { TEE\_Result res; TEE\_ObjectInfo objectInfo; res = utee\_cryp\_obj\_get\_info((unsigned long)object, &objectInfo); if (objectInfo.objectType == TEE\_TYPE\_CORRUPTED\_OBJECT) return; res = TEE\_RestrictObjectUsage1(object, objectUsage); if (res != TEE\_SUCCESS) TEE\_Panic(res); } TEE\_Result TEE\_RestrictObjectUsage1(TEE\_ObjectHandle object, uint32\_t objectUsage) { TEE\_Result res; res = utee\_cryp\_obj\_restrict\_usage((unsigned long)object, objectUsage); if (res != TEE\_SUCCESS && res != TEE\_ERROR\_CORRUPT\_OBJECT && res != TEE\_ERROR\_STORAGE\_NOT\_AVAILABLE) TEE\_Panic(res); return res; } TEE\_Result TEE\_GetObjectBufferAttribute(TEE\_ObjectHandle object, uint32\_t attributeID, void \*buffer, uint32\_t \*size) { TEE\_Result res; TEE\_ObjectInfo info; uint64\_t sz; res = utee\_cryp\_obj\_get\_info((unsigned long)object, &info); if (res != TEE\_SUCCESS) goto exit; /\* This function only supports reference attributes \*/ if ((attributeID & TEE\_ATTR\_BIT\_VALUE)) { res = TEE\_ERROR\_BAD\_PARAMETERS; goto exit; } sz = \*size; res = utee\_cryp\_obj\_get\_attr((unsigned long)object, attributeID, buffer, &sz); \*size = sz; exit: if (res != TEE\_SUCCESS && res != TEE\_ERROR\_ITEM\_NOT\_FOUND && res != TEE\_ERROR\_SHORT\_BUFFER && res != TEE\_ERROR\_CORRUPT\_OBJECT && res != TEE\_ERROR\_STORAGE\_NOT\_AVAILABLE) TEE\_Panic(res); return res; } TEE\_Result TEE\_GetObjectValueAttribute(TEE\_ObjectHandle object, uint32\_t attributeID, uint32\_t \*a, uint32\_t \*b) { TEE\_Result res; TEE\_ObjectInfo info; uint32\_t buf\[2\]; uint64\_t size = sizeof(buf); res = utee\_cryp\_obj\_get\_info((unsigned long)object, &info); if (res != TEE\_SUCCESS) goto exit; /\* This function only supports value attributes \*/ if (!(attributeID & TEE\_ATTR\_BIT\_VALUE)) { res = TEE\_ERROR\_BAD\_PARAMETERS; goto exit; } res = utee\_cryp\_obj\_get\_attr((unsigned long)object, attributeID, buf, &size); exit: if (res != TEE\_SUCCESS && res != TEE\_ERROR\_ITEM\_NOT\_FOUND && res != TEE\_ERROR\_CORRUPT\_OBJECT && res != TEE\_ERROR\_STORAGE\_NOT\_AVAILABLE) TEE\_Panic(res); if (size != sizeof(buf)) TEE\_Panic(0); if (res == TEE\_SUCCESS) { if (a) \*a = buf\[0\]; if (b) \*b = buf\[1\]; } return res; } void TEE\_CloseObject(TEE\_ObjectHandle object) { TEE\_Result res; if (object == TEE\_HANDLE\_NULL) return; res = utee\_cryp\_obj\_close((unsigned long)object); if (res != TEE\_SUCCESS) TEE\_Panic(res); } /\* Data and Key Storage API - Transient Object Functions \*/ TEE\_Result TEE\_AllocateTransientObject(TEE\_ObjectType objectType, uint32\_t maxKeySize, TEE\_ObjectHandle \*object) { TEE\_Result res; uint32\_t obj; res = utee\_cryp\_obj\_alloc(objectType, maxKeySize, &obj); if (res != TEE\_SUCCESS && res != TEE\_ERROR\_OUT\_OF\_MEMORY && res != TEE\_ERROR\_NOT\_SUPPORTED) TEE\_Panic(res); if (res == TEE\_SUCCESS) \*object = (TEE\_ObjectHandle)(uintptr\_t)obj; return res; } void TEE\_FreeTransientObject(TEE\_ObjectHandle object) { TEE\_Result res; TEE\_ObjectInfo info; if (object == TEE\_HANDLE\_NULL) return; res = utee\_cryp\_obj\_get\_info((unsigned long)object, &info); if (res != TEE\_SUCCESS) TEE\_Panic(res); if ((info.handleFlags & TEE\_HANDLE\_FLAG\_PERSISTENT) != 0) TEE\_Panic(0); res = utee\_cryp\_obj\_close((unsigned long)object); if (res != TEE\_SUCCESS) TEE\_Panic(res); } void TEE\_ResetTransientObject(TEE\_ObjectHandle object) { TEE\_Result res; TEE\_ObjectInfo info; if (object == TEE\_HANDLE\_NULL) return; res = utee\_cryp\_obj\_get\_info((unsigned long)object, &info); if (res != TEE\_SUCCESS) TEE\_Panic(res); if ((info.handleFlags & TEE\_HANDLE\_FLAG\_PERSISTENT) != 0) TEE\_Panic(0); res = utee\_cryp\_obj\_reset((unsigned long)object); if (res != TEE\_SUCCESS) TEE\_Panic(res); } TEE\_Result TEE\_PopulateTransientObject(TEE\_ObjectHandle object, const TEE\_Attribute \*attrs, uint32\_t attrCount) { TEE\_Result res; TEE\_ObjectInfo info; struct utee\_attribute ua\[attrCount\]; res = utee\_cryp\_obj\_get\_info((unsigned long)object, &info); if (res != TEE\_SUCCESS) TEE\_Panic(res); /\* Must be a transient object \*/ if ((info.handleFlags & TEE\_HANDLE\_FLAG\_PERSISTENT) != 0) TEE\_Panic(0); /\* Must not be initialized already \*/ if ((info.handleFlags & TEE\_HANDLE\_FLAG\_INITIALIZED) != 0) TEE\_Panic(0); \_\_utee\_from\_attr(ua, attrs, attrCount); res = utee\_cryp\_obj\_populate((unsigned long)object, ua, attrCount); if (res != TEE\_SUCCESS && res != TEE\_ERROR\_BAD\_PARAMETERS) TEE\_Panic(res); return res; } void TEE\_InitRefAttribute(TEE\_Attribute \*attr, uint32\_t attributeID, const void \*buffer, uint32\_t length) { if (attr == NULL) TEE\_Panic(0); if ((attributeID & TEE\_ATTR\_BIT\_VALUE) != 0) TEE\_Panic(0); attr->attributeID = attributeID; attr->content.ref.buffer = (void \*)buffer; attr->content.ref.length = length; } void TEE\_InitValueAttribute(TEE\_Attribute \*attr, uint32\_t attributeID, uint32\_t a, uint32\_t b) { if (attr == NULL) TEE\_Panic(0); if ((attributeID & TEE\_ATTR\_BIT\_VALUE) == 0) TEE\_Panic(0); attr->attributeID = attributeID; attr->content.value.a = a; attr->content.value.b = b; } /\* \* Use of this function is deprecated \* new code SHOULD use the TEE\_CopyObjectAttributes1 function instead \* These functions will be removed at some future major revision of \* this specification \*/ void TEE\_CopyObjectAttributes(TEE\_ObjectHandle destObject, TEE\_ObjectHandle srcObject) { TEE\_Result res; TEE\_ObjectInfo src\_info; res = utee\_cryp\_obj\_get\_info((unsigned long)srcObject, &src\_info); if (src\_info.objectType == TEE\_TYPE\_CORRUPTED\_OBJECT) return; res = TEE\_CopyObjectAttributes1(destObject, srcObject); if (res != TEE\_SUCCESS) TEE\_Panic(res); } TEE\_Result TEE\_CopyObjectAttributes1(TEE\_ObjectHandle destObject, TEE\_ObjectHandle srcObject) { TEE\_Result res; TEE\_ObjectInfo dst\_info; TEE\_ObjectInfo src\_info; res = utee\_cryp\_obj\_get\_info((unsigned long)destObject, &dst\_info); if (res != TEE\_SUCCESS) goto exit; res = utee\_cryp\_obj\_get\_info((unsigned long)srcObject, &src\_info); if (res != TEE\_SUCCESS) goto exit; if (!(src\_info.handleFlags & TEE\_HANDLE\_FLAG\_INITIALIZED)) TEE\_Panic(0); if ((dst\_info.handleFlags & TEE\_HANDLE\_FLAG\_PERSISTENT)) TEE\_Panic(0); if ((dst\_info.handleFlags & TEE\_HANDLE\_FLAG\_INITIALIZED)) TEE\_Panic(0); res = utee\_cryp\_obj\_copy((unsigned long)destObject, (unsigned long)srcObject); exit: if (res != TEE\_SUCCESS && res != TEE\_ERROR\_CORRUPT\_OBJECT && res != TEE\_ERROR\_STORAGE\_NOT\_AVAILABLE) TEE\_Panic(res); return res; } TEE\_Result TEE\_GenerateKey(TEE\_ObjectHandle object, uint32\_t keySize, const TEE\_Attribute \*params, uint32\_t paramCount) { TEE\_Result res; struct utee\_attribute ua\[paramCount\]; \_\_utee\_from\_attr(ua, params, paramCount); res = utee\_cryp\_obj\_generate\_key((unsigned long)object, keySize, ua, paramCount); if (res != TEE\_SUCCESS && res != TEE\_ERROR\_BAD\_PARAMETERS) TEE\_Panic(res); return res; } /\* Data and Key Storage API - Persistent Object Functions \*/ TEE\_Result TEE\_OpenPersistentObject(uint32\_t storageID, const void \*objectID, uint32\_t objectIDLen, uint32\_t flags, TEE\_ObjectHandle \*object) { TEE\_Result res; uint32\_t obj; if (!objectID) { res = TEE\_ERROR\_ITEM\_NOT\_FOUND; goto out; } if (objectIDLen > TEE\_OBJECT\_ID\_MAX\_LEN) { res = TEE\_ERROR\_BAD\_PARAMETERS; goto out; } if (!object) { res = TEE\_ERROR\_BAD\_PARAMETERS; goto out; } res = utee\_storage\_obj\_open(storageID, objectID, objectIDLen, flags, &obj); if (res == TEE\_SUCCESS) \*object = (TEE\_ObjectHandle)(uintptr\_t)obj; out: if (res != TEE\_SUCCESS && res != TEE\_ERROR\_ITEM\_NOT\_FOUND && res != TEE\_ERROR\_ACCESS\_CONFLICT && res != TEE\_ERROR\_OUT\_OF\_MEMORY && res != TEE\_ERROR\_CORRUPT\_OBJECT && res != TEE\_ERROR\_STORAGE\_NOT\_AVAILABLE) TEE\_Panic(res); return res; } TEE\_Result TEE\_CreatePersistentObject(uint32\_t storageID, const void \*objectID, uint32\_t objectIDLen, uint32\_t flags, TEE\_ObjectHandle attributes, const void \*initialData, uint32\_t initialDataLen, TEE\_ObjectHandle \*object) { TEE\_Result res; uint32\_t obj; if (!objectID) { res = TEE\_ERROR\_ITEM\_NOT\_FOUND; goto err; } if (objectIDLen > TEE\_OBJECT\_ID\_MAX\_LEN) { res = TEE\_ERROR\_BAD\_PARAMETERS; goto err; } res = utee\_storage\_obj\_create(storageID, objectID, objectIDLen, flags, (unsigned long)attributes, initialData, initialDataLen, &obj); if (res == TEE\_SUCCESS) { if (object) \*object = (TEE\_ObjectHandle)(uintptr\_t)obj; else res = utee\_cryp\_obj\_close(obj); if (res == TEE\_SUCCESS) goto out; } err: if (object) \*object = TEE\_HANDLE\_NULL; if (res == TEE\_ERROR\_ITEM\_NOT\_FOUND || res == TEE\_ERROR\_ACCESS\_CONFLICT || res == TEE\_ERROR\_OUT\_OF\_MEMORY || res == TEE\_ERROR\_STORAGE\_NO\_SPACE || res == TEE\_ERROR\_CORRUPT\_OBJECT || res == TEE\_ERROR\_STORAGE\_NOT\_AVAILABLE) return res; TEE\_Panic(res); out: return TEE\_SUCCESS; } /\* \* Use of this function is deprecated \* new code SHOULD use the TEE\_CloseAndDeletePersistentObject1 function instead \* These functions will be removed at some future major revision of \* this specification \*/ void TEE\_CloseAndDeletePersistentObject(TEE\_ObjectHandle object) { TEE\_Result res; if (object == TEE\_HANDLE\_NULL) return; res = TEE\_CloseAndDeletePersistentObject1(object); if (res != TEE\_SUCCESS) TEE\_Panic(0); } TEE\_Result TEE\_CloseAndDeletePersistentObject1(TEE\_ObjectHandle object) { TEE\_Result res; if (object == TEE\_HANDLE\_NULL) return TEE\_ERROR\_STORAGE\_NOT\_AVAILABLE; res = utee\_storage\_obj\_del((unsigned long)object); if (res != TEE\_SUCCESS && res != TEE\_ERROR\_STORAGE\_NOT\_AVAILABLE) TEE\_Panic(res); return res; } TEE\_Result TEE\_RenamePersistentObject(TEE\_ObjectHandle object, const void \*newObjectID, uint32\_t newObjectIDLen) { TEE\_Result res; if (object == TEE\_HANDLE\_NULL) { res = TEE\_ERROR\_ITEM\_NOT\_FOUND; goto out; } if (!newObjectID) { res = TEE\_ERROR\_BAD\_PARAMETERS; goto out; } if (newObjectIDLen > TEE\_OBJECT\_ID\_MAX\_LEN) { res = TEE\_ERROR\_BAD\_PARAMETERS; goto out; } res = utee\_storage\_obj\_rename((unsigned long)object, newObjectID, newObjectIDLen); out: if (res != TEE\_SUCCESS && res != TEE\_ERROR\_ACCESS\_CONFLICT && res != TEE\_ERROR\_CORRUPT\_OBJECT && res != TEE\_ERROR\_STORAGE\_NOT\_AVAILABLE) TEE\_Panic(res); return res; } TEE\_Result TEE\_AllocatePersistentObjectEnumerator(TEE\_ObjectEnumHandle \* objectEnumerator) { TEE\_Result res; uint32\_t oe; if (!objectEnumerator) return TEE\_ERROR\_BAD\_PARAMETERS; res = utee\_storage\_alloc\_enum(&oe); if (res != TEE\_SUCCESS) oe = TEE\_HANDLE\_NULL; \*objectEnumerator = (TEE\_ObjectEnumHandle)(uintptr\_t)oe; if (res != TEE\_SUCCESS && res != TEE\_ERROR\_ACCESS\_CONFLICT) TEE\_Panic(res); return res; } void TEE\_FreePersistentObjectEnumerator(TEE\_ObjectEnumHandle objectEnumerator) { TEE\_Result res; if (objectEnumerator == TEE\_HANDLE\_NULL) return; res = utee\_storage\_free\_enum((unsigned long)objectEnumerator); if (res != TEE\_SUCCESS) TEE\_Panic(res); } void TEE\_ResetPersistentObjectEnumerator(TEE\_ObjectEnumHandle objectEnumerator) { TEE\_Result res; if (objectEnumerator == TEE\_HANDLE\_NULL) return; res = utee\_storage\_reset\_enum((unsigned long)objectEnumerator); if (res != TEE\_SUCCESS) TEE\_Panic(res); } TEE\_Result TEE\_StartPersistentObjectEnumerator(TEE\_ObjectEnumHandle objectEnumerator, uint32\_t storageID) { TEE\_Result res; res = utee\_storage\_start\_enum((unsigned long)objectEnumerator, storageID); if (res != TEE\_SUCCESS && res != TEE\_ERROR\_ITEM\_NOT\_FOUND && res != TEE\_ERROR\_CORRUPT\_OBJECT && res != TEE\_ERROR\_STORAGE\_NOT\_AVAILABLE) TEE\_Panic(res); return res; } TEE\_Result TEE\_GetNextPersistentObject(TEE\_ObjectEnumHandle objectEnumerator, TEE\_ObjectInfo \*objectInfo, void \*objectID, uint32\_t \*objectIDLen) { TEE\_Result res; uint64\_t len; TEE\_ObjectInfo local\_info; TEE\_ObjectInfo \*pt\_info; if (!objectID) { res = TEE\_ERROR\_BAD\_PARAMETERS; goto out; } if (!objectIDLen) { res = TEE\_ERROR\_BAD\_PARAMETERS; goto out; } if (objectInfo) pt\_info = objectInfo; else pt\_info = &local\_info; len = \*objectIDLen; res = utee\_storage\_next\_enum((unsigned long)objectEnumerator, pt\_info, objectID, &len); \*objectIDLen = len; out: if (res != TEE\_SUCCESS && res != TEE\_ERROR\_ITEM\_NOT\_FOUND && res != TEE\_ERROR\_CORRUPT\_OBJECT && res != TEE\_ERROR\_STORAGE\_NOT\_AVAILABLE) TEE\_Panic(res); return res; } /\* Data and Key Storage API - Data Stream Access Functions \*/ TEE\_Result TEE\_ReadObjectData(TEE\_ObjectHandle object, void \*buffer, uint32\_t size, uint32\_t \*count) { TEE\_Result res; uint64\_t cnt64; if (object == TEE\_HANDLE\_NULL) { res = TEE\_ERROR\_BAD\_PARAMETERS; goto out; } cnt64 = \*count; res = utee\_storage\_obj\_read((unsigned long)object, buffer, size, &cnt64); \*count = cnt64; out: if (res != TEE\_SUCCESS && res != TEE\_ERROR\_CORRUPT\_OBJECT && res != TEE\_ERROR\_STORAGE\_NOT\_AVAILABLE) TEE\_Panic(res); return res; } TEE\_Result TEE\_WriteObjectData(TEE\_ObjectHandle object, const void \*buffer, uint32\_t size) { TEE\_Result res; if (object == TEE\_HANDLE\_NULL) { res = TEE\_ERROR\_BAD\_PARAMETERS; goto out; } if (size > TEE\_DATA\_MAX\_POSITION) { res = TEE\_ERROR\_OVERFLOW; goto out; } res = utee\_storage\_obj\_write((unsigned long)object, buffer, size); out: if (res != TEE\_SUCCESS && res != TEE\_ERROR\_STORAGE\_NO\_SPACE && res != TEE\_ERROR\_OVERFLOW && res != TEE\_ERROR\_CORRUPT\_OBJECT && res != TEE\_ERROR\_STORAGE\_NOT\_AVAILABLE) TEE\_Panic(res); return res; } TEE\_Result TEE\_TruncateObjectData(TEE\_ObjectHandle object, uint32\_t size) { TEE\_Result res; if (object == TEE\_HANDLE\_NULL) { res = TEE\_ERROR\_BAD\_PARAMETERS; goto out; } res = utee\_storage\_obj\_trunc((unsigned long)object, size); out: if (res != TEE\_SUCCESS && res != TEE\_ERROR\_STORAGE\_NO\_SPACE && res != TEE\_ERROR\_CORRUPT\_OBJECT && res != TEE\_ERROR\_STORAGE\_NOT\_AVAILABLE) TEE\_Panic(res); return res; } TEE\_Result TEE\_SeekObjectData(TEE\_ObjectHandle object, int32\_t offset, TEE\_Whence whence) { TEE\_Result res; TEE\_ObjectInfo info; if (object == TEE\_HANDLE\_NULL) { res = TEE\_ERROR\_BAD\_PARAMETERS; goto out; } res = utee\_cryp\_obj\_get\_info((unsigned long)object, &info); if (res != TEE\_SUCCESS) goto out; switch (whence) { case TEE\_DATA\_SEEK\_SET: if (offset > 0 && (uint32\_t)offset > TEE\_DATA\_MAX\_POSITION) { res = TEE\_ERROR\_OVERFLOW; goto out; } break; case TEE\_DATA\_SEEK\_CUR: if (offset > 0 && ((uint32\_t)offset + info.dataPosition > TEE\_DATA\_MAX\_POSITION || (uint32\_t)offset + info.dataPosition < info.dataPosition)) { res = TEE\_ERROR\_OVERFLOW; goto out; } break; case TEE\_DATA\_SEEK\_END: if (offset > 0 && ((uint32\_t)offset + info.dataSize > TEE\_DATA\_MAX\_POSITION || (uint32\_t)offset + info.dataSize < info.dataSize)) { res = TEE\_ERROR\_OVERFLOW; goto out; } break; default: res = TEE\_ERROR\_ITEM\_NOT\_FOUND; goto out; } res = utee\_storage\_obj\_seek((unsigned long)object, offset, whence); out: if (res != TEE\_SUCCESS && res != TEE\_ERROR\_OVERFLOW && res != TEE\_ERROR\_CORRUPT\_OBJECT && res != TEE\_ERROR\_STORAGE\_NOT\_AVAILABLE) TEE\_Panic(res); return res; }

CVE-2022-36621: mTower/tee_api_objects.c at 18f4b592a8a973ce5972f4e2658ea0f6e3686284 · Samsung/mTower

Plus: Chrome patches another zero-day flaw, Microsoft closes up 100 vulnerabilities, Android gets a significant patch, and more.

August was a bumper month for security patches, with Apple, Google, and Microsoft among the firms issuing emergency fixes for already exploited vulnerabilities. The month also saw some big fixes arriving from the likes of VMWare, Cisco, IBM, and Zimbra.

Here’s everything you need to know about the important security fixes issued in August.

Apple iOS 15.6.1

After a two-month patch hiatus, followed by multiple fixes in July, Apple released an emergency security update in August with iOS 15.6.1. The iOS update fixed two flaws, both of which were being used by attackers in the wild.

It is thought that the vulnerabilities in WebKit (CVE-2022-32893) and the Kernel (CVE-2022-32894) were being chained together in attacks, with serious consequences. A successful attack could allow an adversary to take control of your iPhone and access your sensitive files and banking details.

Combining the two flaws “typically provides all the functionality needed to mount a device jailbreak,” bypassing almost all Apple-imposed security restrictions, Paul Ducklin, a principal research scientist at Sophos, wrote in a blog analyzing the vulnerabilities. This would potentially allow adversaries to “install background spyware and keep you under comprehensive surveillance,” Ducklin explained.

Apple always avoids giving out details about vulnerabilities until most people have updated, so it’s hard to know who the attack targets were. To ensure you are safe, you should update your devices to iOS 15.6.1 without delay.

Apple also released iPadOS 15.6.1, watchOS 8.7.1, and macOS Monterey 12.5.1, all of which you should update at the next opportunity.

Google Chrome

Google released a security update in August to fix its fifth zero-day flaw this year. In an advisory, Google listed 11 vulnerabilities fixed in August. The patches include a use-after-free flaw in FedCM—tracked as CVE-2022-2852 and rated as critical—as well as six highly rated issues and three classed as having a medium impact. One of the highly rated vulnerabilities has been exploited by attackers, CVE-2022-2856.

Google hasn’t provided any detail about the exploited flaw, but since attackers have gotten ahold of the details, it’s a good idea to update Chrome now.

Earlier in August, Google released Chrome 104, fixing 27 vulnerabilities, seven of which were rated as having a high impact.

Google Android

The August Android security patch was a hefty one, with dozens of fixes for serious vulnerabilities, including a flaw in the framework that could lead to local privilege escalation with no additional privileges needed. Meanwhile, an issue in the media framework could lead to remote information disclosure, and a flaw in the system could lead to remote code execution over Bluetooth. A vulnerability in kernel components could also lead to local escalation of privileges.

The Android security patch was late in August, but it’s now available on such devices as Google’s Pixel range, the Nokia T20, and Samsung Galaxy devices (including the Galaxy S series, Galaxy Note series, Galaxy Fold series, and Galaxy Flip series).

Microsoft

Microsoft’s August Patch Tuesday fixed over 100 security flaws, of which 17 are rated as critical. Among the fixes was a patch for an already exploited flaw tracked as CVE-2022-34713, also known as DogWalk.

The remote code execution (RCE) flaw in the Windows Support Diagnostic Tool (MDST) is rated as having a high impact because exploiting it can result in a system compromise. The vulnerability, which affects all users of Windows and Windows Server, was first exposed over two years ago in January 2020, but Microsoft didn’t consider it a security issue at the time.

VMWare

VMWare fixed a bunch of flaws in August, including a critical authentication bypass bug tracked as CVE-2022-31656. On releasing the patch, the software firm warned that public exploit code is available.

VMWare also fixed an RCE vulnerability in VMware Workspace ONE Access, Identity Manager, and Aria Automation (formerly vRealize Automation), tracked as CVE-2022-31658 with a CVSS score of eight. Meanwhile, a SQL injection RCE vulnerability found in VMware Workspace ONE Access and Identity Manager also got a CVSS score of eight. Both require an attacker to have administrator and network access before they can trigger remote code execution.

Apple Fixed a Serious iOS Security Flaw—Have You Updated Yet?

A novel data exfiltration technique has been found to leverage a covert ultrasonic channel to leak sensitive information from isolated, air-gapped computers to a nearby smartphone that doesn't even require a microphone to pick up the sound waves.
Dubbed GAIROSCOPE, the adversarial model is the latest addition to a long list of acoustic, electromagnetic, optical, and thermal approaches devised by

A novel data exfiltration technique has been found to leverage a covert ultrasonic channel to leak sensitive information from isolated, air-gapped computers to a nearby smartphone that doesn't even require a microphone to pick up the sound waves.

Dubbed **GAIROSCOPE**, the adversarial model is the latest addition to a long list of acoustic, electromagnetic, optical, and thermal approaches devised by Dr. Mordechai Guri, the head of R&D in the Cyber Security Research Center in the Ben Gurion University of the Negev in Israel.

"Our malware generates ultrasonic tones in the resonance frequencies of the MEMS gyroscope," Dr. Guri said in a new paper published this week. "These inaudible frequencies produce tiny mechanical oscillations within the smartphone's gyroscope, which can be demodulated into binary information."

Air-gapping is seen as an essential security countermeasure that involves isolating a computer or network and preventing it from establishing an external connection, effectively creating an impenetrable barrier between a digital asset and threat actors who try to forge a path for espionage attacks.

Like other attacks against air-gapped networks, GAIROSCOPE is no different in that it banks on the ability of an adversary to breach a target environment via ploys such as infected USB sticks, watering holes, or supply chain compromises to deliver the malware.

What's new this time around is that it also requires infecting the smartphones of employees working in the victim organization with a rogue app that, for its part, is deployed by means of attack vectors like social engineering, malicious ads, or compromised websites, among others.

In the next phase of the kill chain, the attacker abuses the established foothold to harvest sensitive data (i.e., encryption keys, credentials etc.), encodes, and broadcasts the information in the form of stealthy acoustic sound waves via the machine's loudspeaker.

The transmission is then detected by an infected smartphone that's in close physical proximity and which listens through the gyroscope sensor built into the device, following which the data is demodulated, decoded, and transferred to the attacker via the Internet over Wi-Fi.

This is made possible due to a phenomenon called ultrasonic corruption that affects MEMS gyroscopes at resonance frequencies. "When this inaudible sound is played near the gyroscope, it creates an internal disruption to the signal output," Dr. Guri explained. "The errors in the output can be used to encode and decode information."

Experimental results show that the covert channel can be used to transfer data with bit rates of 1-8 bit/sec at distances of 0 - 600 cm, with the transmitter reaching a distance of 800 cm in narrow rooms.

Should employees place their mobile phones close to their workstations on the desk, the method could be used to exchange data, including short texts, encryption keys, passwords, or keystrokes.

The data exfiltration method is notable for the fact that it doesn't require the malicious app in the receiving smartphone (in this case, One Plus 7, Samsung Galaxy S9, and Samsung Galaxy S10) to have microphone access, thus tricking users into approving their access without suspicion.

The speakers-to-gyroscope covert channel is also advantageous from an adversarial point of view. Not only are there no visual cues on Android and iOS when an app uses the gyroscope (like in the case of location or microphone), the sensor is also accessible from HTML via standard JavaScript.

This also means that the bad actor doesn't have to install an app to achieve the intended goals, and can instead inject backdoor JavaScript code on a legitimate website that samples the gyroscope, receives the covert signals, and exfiltrates the information via the Internet.

Mitigating GAIROSCOPE requires organizations to enforce separation policies to keep smartphones at least 800 cm away or more from secured areas, remove loudspeakers and audio drivers from endpoints, filter out ultrasonic signals using firewalls SilverDog and SoniControl, and jam the covert channel by adding background noises to the acoustic spectrum.

The study arrives a little over a month after Dr. Guri demonstrated SATAn, a mechanism to jump over air-gaps and extract information by taking advantage of Serial Advanced Technology Attachment (SATA) cables.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

New Air-Gap Attack Uses MEMS Gyroscope Ultrasonic Covert Channel to Leak Data

Mobile transactions could’ve been disabled, created and signed by attackers.

Mobile transactions could’ve been disabled, created and signed by attackers.

Smartphone maker Xiaomi, the world’s number three phone maker behind Apple and Samsung, reported it has patched a high-severity flaw in its “trusted environment” used to store payment data that opened some of its handsets to attack.

Researchers at Check Point Research revealed last week in a report released at DEF CON that the Xiaomi smartphone flaw could have allowed hackers to hijack the mobile payment system and disable it or create and sign their own forged transactions.

The potential pool of victims was massive, considering one in seven of the world’s smartphones are manufactured by Xiaomi, according to Q2/22 data from Canalys. The company is the third largest vendor globally, according to Canalys.  
“We discovered a set of vulnerabilities that could allow forging of payment packages or disabling the payment system directly, from an unprivileged Android application. We were able to hack into WeChat Pay and implemented a fully worked proof of concept,” wrote Slava Makkaveev, security researcher with Check Point.

He said, the Check Point study marks the first time Xiaomi’s trusted applications have been reviewed for security issues. WeChat Pay is a mobile payment and digital wallet service developed by a firm of the same name, which is based in China. The service is used by over 300 million customers and allows Android users to make mobile payments and online transactions.

**The Flaw**

It’s unclear how long the vulnerability existed or if it was exploited by attackers in the wild. The bug, tracked as CVE-2020-14125, was patched by Xiaomi in June and has a CVSS severity rating of high.

“A denial of service vulnerability exists in some Xiaomi models of phones. The vulnerability is caused by out-of-bound read/write and can be exploited by attackers to make denial of service,” according to the NIST common vulnerability and exposure description of the bug.

While details of the bug’s impact were limited at the time Xiaomi disclosed the vulnerability in June, researchers at Check Point have outlined in its postmortem of the patched bug and the full potential impact of the flaw.

The core issue with Xiaomi phone was the mobile phones payment method and the Trusted Execution Environment (TEE) component of the phone. The TEE is the Xiaomi’s virtual enclave of the phone, responsible for processing and storing ultra-sensitive security information such fingerprints and the cryptographic keys used in signing transactions.

“Left unpatched, an attacker could steal private keys used to sign WeChat Pay control and payment packages. Worst case, an unprivileged Android app could have created and signed a fake payment package,” researchers wrote.

Two types of attacks could have been performed against handsets with the flaw according to Check Point.

*   From an unprivileged Android app: The user installs a malicious application and launches it. The app extracts the keys and sends a fake payment packet to steal the money.
*   If the attacker has the target devices in their hands: The attacker rootes the device, then downgrades the trust environment, and then runs the code to create a fake payment package without an application.

**Two Ways to Skin a TEE**

Controlling the TEE, according to Check Point, is a MediaTek chip component that needed to be present to conduct the attack. To be clear, the flaw was not in the MediaTek chip – however the bug was only executable in phones configured with the MediaTek processor.

“The Asian market,” the researchers noted, is “mainly represented by smartphones based on MediaTek chips.” Xiaomi phones that run on MediaTek chips use a TEE architecture called “Kinibi,” within which Xiaomi can embed and sign their own trusted applications.

“Usually, trusted apps of the Kinibi OS have the MCLF format” – Mobicore Loadable Format – “but Xiaomi decided to come up with one of their own.” Within their own format, however, was a flaw: an absence of version control, without which “an attacker can transfer an old version of a trusted app to the device and use it to overwrite the new app file.” The signature between versions doesn’t change, so the TEE doesn’t know the difference, and it loads the old one.

In essence the attacker could’ve turned back time, bypassing any security fixes made by Xiaomi or MediaTek in the most sensitive area of the phone.

As a case-in-point, the researchers targeted “Tencent soter,” Xiaomi’s embedded framework providing an API to third-party apps that want to integrate mobile payments. Soter is what’s responsible for verifying payments between phones and backend servers, for hundreds of millions of Android devices worldwide. The researchers performed time travel to exploit an arbitrary read vulnerability in the soter app. This allowed them to steal the private keys used to sign transactions.

The arbitrary read vulnerability is already patched, while the version control vulnerability is “being fixed.”

In addition, the researchers came up with one other trick for exploiting soter.

Using a regular, unprivileged Android application, they were able to communicate with the trusted soter app via “SoterService,” an API for managing soter keys. “In practice, our goal is to steal one of the soter private keys,” the authors wrote. However, by performing a classic heap overflow attack, they were able to “completely compromise the Tencent soter platform,” allowing much greater power to, for example, sign fake payment packages.

**Phones Remain Un-scrutinized**

Mobile payments are already receiving more scrutiny from security researchers, as services like Apple Pay and Google Pay gain popularity in the West. But the issue is even more significant for the Far East, where the market for mobile payments is already way ahead. According to data from Statista, that hemisphere was responsible for a full two-thirds of mobile payments globally in 2021 – about four billion dollars in transactions in all.

And yet, the Asian market “has still not yet been widely explored,” the researchers noted. “No one is scrutinizing trusted applications written by device vendors, such as Xiaomi, instead of by chip manufacturers, even though security management and the core of mobile payments are implemented there.”

As previously noted, Check Point asserted this was the first time Xiaomi’s trusted applications have been reviewed for security issues.

Xiaomi Phone Bug Allowed Payment Forgery

** UNSUPPORTED WHEN ASSIGNED ** An issue in the UPnP protocol in 4thline cling 2.0.0 through 2.1.2 allows remote attackers to cause a denial of service via an unchecked CALLBACK parameter in the request header.

Universal Plug and Play (UPnP), a ubiquitous protocol used by “billions of devices,” may be vulnerable to data exfiltration and reflected amplified TCP distributed denial of service (DDoS) attacks.

**Background**

On June 8, researcher Yunus Çadirci published an advisory for CallStranger, a vulnerability in the Universal Plug and Play (UPnP) protocol. UPnP is currently managed by the Open Connectivity Foundation (OCF). As its name implies, UPnP is a protocol designed to allow a variety of networked devices to universally communicate with each other without any special setup or configuration.

Because of its ubiquitous nature, UPnP is used by a wide variety of devices, including personal computers, networking equipment, video game consoles and internet of things (IoT) devices such as smart televisions. As a result, Çadirci says this particular vulnerability potentially affects “billions of devices.”

**Analysis**

CVE-2020-12695 is a server-side request forgery (SSRF)-like vulnerability in devices that utilize UPnP. The vulnerability exists due to the ability to control the Callback header value in the UPnP SUBSCRIBE function.

Source: CallStranger Technical Report

The SUBSCRIBE function is part of the UPnP standard that allows devices to monitor changes in other devices and services. For example, the PoC published on GitHub shows port 2869 for Microsoft’s Xbox One — which is used to monitor device changes on the network for features like media sharing — as vulnerable.

In order to exploit the flaw, an attacker would need to send a specially crafted HTTP SUBSCRIBE request to a vulnerable device.

An attacker could utilize this vulnerability in the following scenarios:

*   Intranet device port scanning to gather additional data from trusted assets within an organization’s LAN, bypassing organizational Data Loss Prevention (DLP) standards.
*   Send large amounts of traffic to arbitrary destinations. Targets flooded by the affected devices could crash under the increased network load, resulting in a denial of service (DoS). This is a result of UPnP attempting to establish a TCP handshake with multiple SYN packets for all Callback values in the SUBSCRIBE request.
*   Exfiltrate sensitive device data by directing callback information to arbitrary targets.

With the exception of the DoS, these scenarios provide a stealthy method for an attacker to steal data from a compromised network. This sensitive information could potentially open up an organization to further attack.

**Proof of concept**

The original proof of concept (PoC) created by Çadirci has been added to his GitHub repository.

**Solution**

Since CallStranger is a protocol-level vulnerability, OCF has made changes to the UPnP protocol specification. Therefore, manufacturers of affected devices are in the process of determining its impact. As a result, we anticipate newly affected devices will be reported and patches will be released over time for devices still receiving product support. Tenable product coverage for this vulnerability can be found in the “identifying affected systems” section below.

At the time this blog post was published, the CallStranger website listed the following operating systems, networking equipment, printers, IoT devices and applications as reportedly vulnerable.

****Operating Systems****

**Vendor/Model**

**Version**

Windows 10

10.0.18362.719

Xbox One OS

10.0.19041.2494

****Networking Equipment****

**Vendor/Model**

**Version**

ASUS

RT-N11

Broadcom ADSL

\-

Cisco Wireless Access Point

WAP150 WAP131 WAP351

D-Link

DVG-N5412SP

Huawei

HG255s (HG255sC163B03) HG532e MyBox

NEC AccessTechnica

WR8165N

Netgear

WNHDE111

Ruckus ZoneDirector

\-

TP-Link

Archer C50

ZTE

ZXV10 W300 H108N

Zyxel

AMG1202-T10B

****Printers****

**Vendor/Model**

**Version**

Canon Selphy

CP1200

Dell

B1165NFW

EPSON EP, EW, XP Series Printers

\-

Hewlett Packard Deskjet, Photsmart and Officejet ENVY

\-

Samsung

X4300

****Internet of Things****

**Vendor/Model**

**Version**

Canal Digital ADB

TNR-5720 SX

Belkin Wemo

\-

Nokia HomeMusic Media Device

\-

Panasonic

BB-HCM735 VL-MWN350

Philips

2k14MTK TV (TPL161E\_012.003.039.001)

Samsung

UE55MU7000 (T-KTMDEUC-1280.5, BT - S) MU8000

Siemens

CNE1000

Trendnet

TV-IP551W

****Applications****

**Vendor/Model**

**Version**

ASUS Media Streamer

\-

LG Smartshare Media

\-

Sony Media Go Media

\-

Stream What You Hear

\-

Ubiquiti UniFi Controller

\-

**Identifying affected systems**

A list of Tenable plugins to identify this vulnerability will appear here as they’re released. Additionally, the table below lists several Tenable plugins to help identify devices within your network that may have UPnP enabled.

**Plugin ID**

**Description**

**Product**

10829

UPnP Client Detection

Nessus

35711

Universal Plug and Play (UPnP) Protocol Detection

Nessus

8061

UPNP Traffic Detection (Client)

Nessus Network Monitor (NMM)

1948

UPNP Traffic Detection

Nessus Network Monitor (NMM)

**Get more information**

*   CallStranger Disclosure Site
*   CERT/CC CallStranger Advisory (VU#339275)
*   Proof of Concept Code released on GitHub

**_Join Tenable's Security Response Team on the Tenable Community._**

**_Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface._**

Get a free 30-day trial of Tenable.io Vulnerability Management.

Tag

#samsung