Loading of image data to memory locations based on untrusted header data in LK bootloader (CVE-2013-2598)

Release Date:

September 6, 2013

Affected Projects:

Android for MSMFirefox OS for MSMQRD Android

Advisory ID:

QCIR-2013-00007-1

CVE ID(s):

CVE-2013-2598

Summary:

The following security vulnerability has been identified in the implementation of the Little Kernel (LK) booloader for Android. CVE-2013-2598: The LK implementation performs basic tasks to start an operating system for the application processor. As part of that, it reads the Linux kernel and ramdisk from a boot or recovery image, loads it up to RAM based on the image header information, performs signature verification, and finally boots. Because of implicitly treating the header values that determine the load destination of the image as trusted, it was possible to load this image to arbitrary locations, including the memory of the LK application bootloader itself and thus overwrite, e.g., signature verification code.

Access Vector: Local
Security Risk: Critical
Access Vector: Local

Affected Versions:

All Little Kernel (LK) bootloader implementations on CAF from the following heads: master, jb*, ics*

Patch:

We advise customers to apply the following patches:

https://www.codeaurora.org/cgit/quic/la/kernel/lk/commit/?id=0e163a4eec7b7fcaa4fe066b0207802e5503e10f

https://www.codeaurora.org/cgit/quic/la/kernel/lk/commit/?id=23b60d464d7ac4d2a740a0fdf957959cd72187d4

https://www.codeaurora.org/cgit/quic/la/kernel/lk/commit/?id=d14bb4dd336161b17dcc4a3c51b43a5a467754c9

Acknowledgement:

This vulnerability has been disclosed by Dan Rosenberg via a post in the Azimuth Security blog.

Revisions:

Initial revision

Contact:

security-advisory@quicinc.com