CVE-2021-40055: Huawei OTA Insecure SSL Configuration Man-In-The-Middle Vulnerability

Summary In this advisory we are disclosing a vulnerability in the Huawei Over-The-Air (OTA) update implementation that allows bypassing SSL protections and execute a Man-In-The-Middle attack. The vulnerability was fixed in March 2022. Vulnerability Details Huawei devices - both those running Android and those running HarmonyOS - use Huawei’s custom implementation for applying OTA updates. OTA updates are packaged into a zip container. The update mechanism has several checks that are meant to ensure the authenticity of OTA images before they are applied: the over-the-air download is supposed to happen over a secure connection to prevent Man-In-The-Middle attacks, the zip file has a cryptographic signature that is verified by the update process, and finally the contents of the zip file include further authentications tags.

CVE-2021-32484: Heap Buffer overflow in GSM RRM E-UTRAN Individual Priority Parameters

Summary In this advisory we are disclosing a heap overflow vulnerability in the MediaTek baseband. The vulnerability can be exploited to gain arbitrary code execution in the context of the baseband runtime. The vulnerability was fixed in 2020 in some models, and received a CVE and more widely deployed fix in 2021. Vulnerability Details When processing the CSN.1 decoding of the “E-UTRAN Individual Priority Parameters” element, the function rr_decode_eutran_individual_priority_para_description implements a two-depth nested repetition (Repeated Individual E-UTRAN Priority Parameters Description struct and its child element EARFCN). The outer loop is iterated by checking on the single bit representing the ongoing repetition, and while that equals “1”, a new Repeated Individual E-UTRAN Priority Parameters Description struct is processed.

CVE-2021-32485: Heap Buffer overflow in GSM RRM UTRAN Individual Priority Parameters

Summary In this advisory we are disclosing a heap overflow vulnerability in the MediaTek baseband. The vulnerability can be exploited to gain arbitrary code execution in the context of the baseband runtime. The vulnerability was fixed in 2020 in some models, and received a CVE and more widely deployed fix in 2021. Vulnerability Details When processing the CSN.1 decoding of the “UTRAN (3G) Individual Priority Parameters” element, the function rr_decode_3g_individual_priority_para_description implements a two-depth nested repetition (Repeated Individual UTRAN Priority Parameters Description struct and its child element FDD-ARFCN). The outer loop is iterated by checking the single bit representing the ongoing repetition, and while that equals “1”, a new Repeated Individual UTRAN Priority Parameters Description struct is processed.

CVE-2021-32486: Heap Buffer overflow in GSM RRM E-UTRAN IPP with extended EARFCNs

Summary In this advisory we are disclosing a heap overflow vulnerability in the MediaTek baseband. The vulnerability can be exploited to gain arbitrary code execution in the context of the baseband runtime. The vulnerability was fixed in 2020 in some models, and received a CVE and more widely deployed fix in 2021. Vulnerability Details When processing the CSN.1 decoding of the “E-UTRAN IPP with extended EARFCNs” element, the function rr_decode_eutran_ipp_extended_earfcns implements a two-depth nested repetition (Repeated Individual E-UTRAN PP with extended EARFCNs Description struct and its child element EARFCN_extended). The outer loop is iterated by checking the single bit representing the ongoing repetition, and while that equals “1”, a new Repeated Individual E-UTRAN PP with extended EARFCNs Description struct is processed.

CVE-2021-32487: Heap Buffer overflow in GSM RRM Channel Release, Cell Selection Indicator

Summary In this advisory we are disclosing a heap overflow vulnerability in the MediaTek baseband. The vulnerability can be exploited to gain arbitrary code execution in the context of the baseband runtime. The vulnerability was fixed in 2020 in some models, and received a CVE and more widely deployed fix in 2021. Vulnerability Details When processing the GSM Radio Resource Management Channel Release message, the CSN.1 decoding of the “Cell selection indicator after release of all TCH and SDCCH” information element contains a heap buffer overflow in the function FDD_csrr_decode_redirection_ie. The “Cell selection indicator after release of all TCH and SDCCH” is a type 4 information element with a minimum length of 4 octets.

CVE-2021-25452: Kernel Permanent Denial of Service Vulnerability in the Vision DSP Kernel Driver

There is a memory management and a path traversal vulnerability in the vision DSP kernel driver of Exynos S20 devices. These vulnerabilities can be leveraged by a malicious untrusted application to permanently disable the device until it is factory reset. Vulnerability Details The Exynos DSP driver implements an ioctl call that allows applications to upload a custom model (graph) for the dsp device. The DSP_IOC_LOAD_GRAPH ioctl handler of the /dev/dsp device receives an array of names of the graph binaries to be loaded. The dsp_kernel_alloc function appends the “.elf” extension to the user-supplied name then uses the kernel’s request firmware API to load it from the file system.

CVE-2021-25457: Kernel Information Disclosure in the Vision DSP Kernel Driver

There is a sensitive information disclosure vulnerability in the vision DSP kernel driver of S20 Exynos devices. The vulnerability can be used by malicious privileged applications to read the kernel’s and other application’s memory. Vulnerability Details The Exynos DSP driver implements an ioctl call that allows applications to upload a custom model (graph) for the dsp device. The DSP_IOC_LOAD_GRAPH ioctl handler of the /dev/dsp device receives an array of Unix paths of the graph files to be loaded. This array has a complex structure, it begins with an array of integers that contains the length of each path. The array of lengths is followed by the actual path strings, one after the other, delimited by the length values.

CVE-2021-25467: Kernel LPE in the Vision DSP Kernel Driver

There is a kernel virtual memory mapped IO buffer overflow vulnerability in the vision DSP kernel driver of S20 Exynos devices. The vulnerability could potentially be used by a malicious system application to compromise the kernel and gain further privileges. The vulnerability is only triggerable via compromised system applications due to a second access control bypass issue. In addition to achieving code execution in the kernel, the access control bypass issue itself may also be used by compromised system applications to directly take complete control over the DSP device itself. Vulnerability Details The Exynos DSP driver implements an ioctl call that allows applications to upload a custom model (graph) for the dsp device.

CVE-2021-25475: Kernel LPE in the Vision DSP Kernel Driver's ELF Linker

There is a vmalloc out of bounds write vulnerability in the vision DSP kernel driver of Samsung Exynos S20 devices. The vulnerability could potentially be used by a malicious system application to compromise the kernel and gain further privileges. Vulnerability Details The Exynos DSP driver implements two distinct ioctl calls that are used to load images and graphs and boot the device. The DSP_IOC_BOOT ioctl loads the dsp’s firmware images, common libraries, an xml global kernel descriptor file and a linker file for linking libraries. The DSP_IOC_LOAD_GRAPH ioctl is responsible for creating a shared memory region between the dsp device and user space and for loading the custom graph models implemented in elf libraries.

CVE-2021-25458: Kernel NULL Pointer Dereference in Exynos ION Implementation

There is an ION memory buffer type confusion vulnerability in the Exynos ION kernel driver. The vulnerability can cause zero initialised memory to be treated as a valid pointer and cause a kernel NULL pointer exception. Untrusted applications can abuse this bug to cause a kernel crash and carry out DOS attacks agains the device. Vulnerability Details The vulnerable code is in ion_iovmm_map in drivers/staging/android/ion/ion_exynos.c, the function is used to map an ion buffer into the bus’s io address space, to make it available for dma capable external devices and returns this dma address. The function has a fast path for buffers marked with ION_FLAG_PROTECTED and returns their associated, preinitialised prot->dma_addr pointers.