Improper Certificate Validation in MediaTek Hardware solutions

#VU62000 Improper Certificate Validation in MediaTek Hardware solutions

Published: 2022-04-08

Vulnerability identifier: #VU62000

Vulnerability risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-20081

CWE-ID: CWE-295

Exploitation vector: Local network

Exploit availability: No

Vendor: MediaTek

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to improper improper certificate validation in A-GPS. A remote attacker can perform MitM attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

MT6580: All versions

MT6735: All versions

MT6737: All versions

MT6739: All versions

MT6753: All versions

MT6761: All versions

MT6765: All versions

MT6768: All versions

MT6771: All versions

MT6779: All versions

MT6781: All versions

MT6785: All versions

MT6833: All versions

MT6853: All versions

MT6873: All versions

MT6877: All versions

MT6879: All versions

MT6883: All versions

MT6885: All versions

MT6889: All versions

MT6893: All versions

MT6895: All versions

MT6983: All versions

MT8666: All versions

MT8667: All versions

MT8675: All versions

CPE

cpe:2.3:a:mediatek:mt6580:*:*:*:*:*:*:*:*

External links
http://corp.mediatek.com/product-security-bulletin/April-2022

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

Multiple vulnerabilities in Google Android

Multiple vulnerabilities in MediaTek chipsets