The Synopsys Software Integrity Group is now Black Duck®. Learn More

close search bar

Sorry, not available in this language yet

close language selection

CyRC Vulnerability Advisory: CVE-2020-7958 biometric data disclosure vulnerability in OnePlus 7 Pro Android phone

Black Duck Editorial Staff

Apr 13, 2020 / 1 min read

Overview

CVE-2020-7958 refers to a vulnerability that can lead to the disclosure of user biometric data in OnePlus 7 Pro Android phones. This vulnerability allows an attacker with root privileges to retrieve bitmap fingerprint images from the Trusted Execution Environment (TEE). Software builds prior to 10.0.3.GM21BA released on Jan. 7, 2020, are affected. Read the CVE entry.

Impact

The vulnerability allows a privileged user (root) in the Rich Execution Environment (REE) to retrieve bitmap fingerprint images from the fingerprint sensor that should only be accessible in the TEE.

CVSS 3.0 vector:

AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N/E:F/RL:O/RC:C/CR:H/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X

CVSS 3.0 overall score: 6.6

CWEs: CWE-215, CWE-489

Technical details

After the attacker obtains root privileges in the REE, it becomes possible to communicate directly with the factory testing APIs exposed by Trusted Applications (TAs) running in the TEE. The attacker can invoke a sequence of commands to obtain raw fingerprint images in the REE.

Remediation

Users should update the software build of their OnePlus 7 Pro devices to the latest available version. OnePlus Technology fixed this vulnerability in the 10.0.3.GM21BA software build.

Product description

OnePlus 7 Pro is a OnePlus flagship Android phone from 2019. More information about the device is available from the vendor’s website.

Discovery credit

A team of researchers from the Black Duck Cybersecurity Research Center (CyRC) in London discovered this issue:

  • Georgi Boiko
  • Artem Gonchar
  • Andrew Lee-Thorp

Black Duck would like to thank the OnePlus security team for their swift and active engagement in addressing this vulnerability.

Timeline

  • July 10, 2019: Black Duck consultants discover the issue.
  • Aug. 14, 2019: Black Duck engages US-CERT.
  • Oct. 7, 2019: Black Ducks engages OnePlus.
  • Nov. 13, 2019: Black Duck consultants test a vendor patch and confirm issue resolution.
  • Jan. 7, 2020: OnePlus publishes the firmware update.
  • April 14, 2020: CyRC publishes this advisory.

Continue Reading

Explore Topics