SB2022092130 - Multiple vulnerabilities in Samsung mTower
Published: September 21, 2022
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 secuirty vulnerabilities.
1) Improper Handling of Length Parameter Inconsistency (CVE-ID: CVE-2022-40757)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper handling of length value in TEE_MACComputeFinal function. A remote attacker can invoke the function TEE_MACComputeFinal with an excessive size value of messageLen and cause a denial of service condition on the target system.
2) Uncontrolled Memory Allocation (CVE-ID: CVE-2022-40762)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a memory allocation with excessive size value in the TEE_Realloc function. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
3) Input validation error (CVE-ID: CVE-2022-40761)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in the utee_cryp_obj_alloc function. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
4) Improper Handling of Length Parameter Inconsistency (CVE-ID: CVE-2022-40760)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper handling of length value in TEE_MACUpdate, TEE_MACComputeFinal and TEE_CipherUpdate functions. A remote attacker can invoke the function TEE_MACUpdate with an excessive size value of chunkSize and cause a denial of service condition on the target system.
5) NULL pointer dereference (CVE-ID: CVE-2022-40759)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in the TEE_MACCompareFinal function. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
6) Improper Handling of Length Parameter Inconsistency (CVE-ID: CVE-2022-40758)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper handling of length value in TEE_CipherUpdate function. A remote attacker can invoke the function TEE_CipherUpdate with an excessive size value of srcLen and cause a denial of service condition on the target system.
Remediation
Install update from vendor's website.
References
- https://github.com/Samsung/mTower/blob/efd36709306a9afcca5b4782499d01be0c7a02a5/tee/lib/libutee/tee_api_operations.c#L1031
- https://github.com/Samsung/mTower/issues/81
- https://github.com/Samsung/mTower/issues/82
- https://github.com/Samsung/mTower/blob/efd36709306a9afcca5b4782499d01be0c7a02a5/tee/lib/libutee/tee_api.c#L319
- https://github.com/Samsung/mTower/blob/efd36709306a9afcca5b4782499d01be0c7a02a5/tee/tee/tee_svc_cryp.c#L1248
- https://github.com/Samsung/mTower/issues/83
- https://github.com/Samsung/mTower/blob/efd36709306a9afcca5b4782499d01be0c7a02a5/tee/tee/tee_obj.c#L109
- https://github.com/Samsung/mTower/blob/efd36709306a9afcca5b4782499d01be0c7a02a5/tee/lib/libutee/tee_api_operations.c#L1188
- https://github.com/Samsung/mTower/blob/efd36709306a9afcca5b4782499d01be0c7a02a5/crypto/libtomcrypt/include/tomcrypt_hash.h#L397
- https://github.com/Samsung/mTower/issues/80
- https://github.com/Samsung/mTower/blob/efd36709306a9afcca5b4782499d01be0c7a02a5/tee/lib/libutee/tee_api_operations.c#L1249
- https://github.com/Samsung/mTower/blob/efd36709306a9afcca5b4782499d01be0c7a02a5/tee/lib/libutee/tee_api_operations.c#L1224