Vulnerabilities allow access to data in TrustZone and execute arbitrary code.
Specialists of the Russian company Digital Security have discovered vulnerabilities in Samsung smartphones that allow them to gain complete control over the device. The problem affects devices with Qualcomm MSM8896 processors (Snapdragon 820), MSM8898 (Snapdragon 835), as well as Exynos 7420, 7870, 8890 and 8895. These are mainly current and flagship models from different years – Galaxy Note 5 and S6, Galaxy S8 and Note 8 , S7 and Note 7, S8 and Note 8, as well as J6, J7, A2 Core, J5, M10, A6 and A3.
The first of the two problems found is information disclosure vulnerability. With its help, an attacker can gain access to the contents of TrustZone, a hardware-isolated environment completely separate from the device’s operating system.
Vulnerability in the TEE Gatekeeper trust with a UID of 081300000000000000000000000000 can be used by the application to read in Normal World memory available only from Secure World in TrustZone terminology. The vulnerability is due to the lack of address checking in the TCI buffer. The attacker gets read access to all the memory available to the trustlet, heDigital Security notice says.
The second problem is the heap overflow vulnerability. Vulnerability in the TRUST_KEYMASTER trustlet with UID ffffffff0000000000000000000000e is caused by a heap overflow during parsing of the ASN.1 structure encoded according to the DER rules. Vulnerability leads to the ability of an attacker to execute arbitrary code in the context of TEE (Trusted Execution Environment), heresearchers said.
Samsung released patches for both vulnerabilities in May 2019.