Software Integrity Blog

 

CyRC Vulnerability Advisory: CVE-2020-7958 biometric data disclosure vulnerability in OnePlus 7 Pro Android phone

Read the Synopsys Cybersecurity Research Center’s (CyRC) analysis of CVE-2020-7958, a biometric data disclosure vulnerability in the OnePlus 7 Pro Android phone.

CyRC Vulnerability Advisory: CVE-2020-7958 biometric data disclosure vulnerability in OnePlus 7 Pro Android phone

Overview

CVE-2020-7958 refers to a vulnerability that can lead to the disclosure of user biometric data in OnePlus 7 Pro Android phones. This vulnerability allows an attacker with root privileges to retrieve bitmap fingerprint images from the Trusted Execution Environment (TEE). Software builds prior to 10.0.3.GM21BA released on Jan. 7, 2020, are affected. Read the CVE entry.

Impact

The vulnerability allows a privileged user (root) in the Rich Execution Environment (REE) to retrieve bitmap fingerprint images from the fingerprint sensor that should only be accessible in the TEE.

CVSS 3.0 vector:

AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N/E:F/RL:O/RC:C/CR:H/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X

CVSS 3.0 overall score: 6.6

CWEs: CWE-215, CWE-489

Technical details

After the attacker obtains root privileges in the REE, it becomes possible to communicate directly with the factory testing APIs exposed by Trusted Applications (TAs) running in the TEE. The attacker can invoke a sequence of commands to obtain raw fingerprint images in the REE.

Remediation

Users should update the software build of their OnePlus 7 Pro devices to the latest available version. OnePlus Technology fixed this vulnerability in the 10.0.3.GM21BA software build.

Product description

OnePlus 7 Pro is a OnePlus flagship Android phone from 2019. More information about the device is available from the vendor’s website.

Discovery credit

A team of researchers from the Synopsys Cybersecurity Research Center (CyRC) in London discovered this issue:

  • Georgi Boiko
  • Artem Gonchar
  • Andrew Lee-Thorp

Synopsys would like to thank the OnePlus security team for their swift and active engagement in addressing this vulnerability.

Timeline

  • July 10, 2019: Synopsys consultants discover the issue.
  • Aug. 14, 2019: Synopsys engages US-CERT.
  • Oct. 7, 2019: Synopsys engages OnePlus.
  • Nov. 13, 2019: Synopsys consultants test a vendor patch and confirm issue resolution.
  • Jan. 7, 2020: OnePlus publishes the firmware update.
  • April 14, 2020: CyRC publishes this advisory.
 

More by this author