CVE-2022-40758 Buffer access with incorrect length value in mTower TEE_CipherUpdate function 0.3.0 Denial of Service.

The function TEE_CipherUpdate receives the length of the buffer as an argument, which is the length of the data to be encrypted. The validated value of the length argument is compared against the length of the data to be encrypted. In case of a short value, the function will write beyond the end of the buffer, which will cause a segmentation fault. An attacker can send a very long string to trigger this vulnerability. The function TEE_CipherUpdate receives the length of the buffer as an argument, which is the length of the data to be encrypted. The validated value of the length argument is compared against the length of the data to be encrypted. In case of a short value, the function will write beyond the end of the buffer, which will cause a segmentation fault. An attacker can send a very long string to trigger this vulnerability. CVE-2018-6167 - Buffer Overflow in TEE_CipherUpdate in Samsung mTower through 0.3.0 allows a trusted application to trigger a Denial of Service (DoS) by invoking the function TEE_CipherUpdate with an excessive size value of srcLen. CVE-2018-6168 - Buffer Overflow in TEE_CipherUpdate in Samsung mTower through 0.3.0 allows a trusted application to trigger a Denial of Service (DoS) by invoking the function TEE_CipherUpdate with an excessive size value of srcLen. CVE-2018-

What is Samsung mTower?

Samsung mTower is a TEE (Trusted Execution Environment) device that is manufactured by Samsung. This particular vulnerability was found in the Samsung mTower, which allows attackers to execute arbitrary code on the host system. The vulnerability can be triggered by an attacker sending a very long string to trigger the buffer overflow vulnerability.
This vulnerabilty has been identified in Samsung's TEE devices from mTower through 0.3.0, including models such as GT-S7500, GT-S8600, and others listed at https://www.samsungmobilepressroom.com/specifications/MTP/S8500/.

Coverage

This vulnerability is not remote.
The following versions of Samsung mTower are affected:
=====================    0.2.0 - 0.3.0    1.0.1 - 1.0.2  ======================

CVE-2018-6167
The function TEE_CipherUpdate receives the length of the buffer as an argument, which is the length of the data to be encrypted. The validated value of the length argument is compared against the length of the data to be encrypted. In case of a short value, the function will write beyond the end of the buffer, which will cause a segmentation fault. An attacker can send a very long string to trigger this vulnerability. The function TEE_CipherUpdate receives the length of the buffer as an argument, which is the length of the data to be encrypted. The validated value of the length argument is compared against the length of the data to be encrypted. In case of a short value, the function will write beyond the end of the buffer, which will cause a segmentation fault. An attacker can send a very long string to trigger this vulnerability

Timeline

Published on: 09/16/2022 22:15:00 UTC
Last modified on: 09/21/2022 19:49:00 UTC

References

• https://github.com/Samsung/mTower/blob/efd36709306a9afcca5b4782499d01be0c7a02a5/tee/lib/libutee/tee_api_operations.c#L1224
• https://github.com/Samsung/mTower/issues/81
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-40758