Incomplete signature parsing during boot image authentication leads to signature forgery (CVE-2014-0973)

Release Date: 
June 13, 2014
Advisory ID: 
QCIR-2014-00003-1
Summary: 

The following security vulnerability has been identified in the implementation of the Little Kernel (LK) bootloader for Android.

CVE-2014-0973:
When parsing a padded PKCS#1-formatted RSA-signature, LK is not properly verifying that there are no trailing bytes left after the hash value in the signature decrypted with the public exponent. Given a certificate with an exponent of 3, it becomes practical to force a chosen expected hash by reducing the padding length and adding garbage bytes after the hash where the garbage bytes are adjusted to make the signature the cube root of the encrypted value. A local attacker can use this flaw to craft a signature that this implementation passes as valid, leading to a bypass of the secure boot feature for application bootloader images.

Access Vector: local
Security Risk: critical
Vulnerability: CWE-310 (cryptographic issues)

Affected versions:
All active branches of LK implementations on CAF are affected.

Patch: 

We advise customers to apply the following patch:
https://www.codeaurora.org/cgit/quic/la/kernel/lk/commit/?h=master&id=f3...

Acknowledgement: 

Qualcomm Innovation Center, Inc. (QuIC) thanks Lee Harrison and Kang Li for reporting the related issues and working with QuIC to help improve Android device security.

Revisions: 

Initial revision

Contact: 
security-advisory@quicinc.com