EC_KEY_set_private_key mishandles the -1 value in the PVID parameter, leading to a crash when receiving that value. This results in a denial of service. EC_KEY_set_public_key does not handle the -1 value in the PKEY parameter, leading to a crash when receiving that value. This results in a denial of service. CVE-2018-4088 An integer overflow issue exists in the function ‘EC_KEY_set_curve’ due to improper validation of the input size, potentially leading to heap corruption. An application using EC_KEY_set_curve can crash if it receives specially crafted input data. This issue can be exploited when connecting to a mTower device with Android version 7.0 or lower, by sending a malformed EC_KEY_set_curve data to trigger a crash. This issue has been addressed by enabling non-executable stack memory. CVE-2018-4089 An out-of-bounds write issue exists in the function ‘EC_KEY_publish_pk_der’ due to improper validation of the input size, potentially leading to heap corruption. An application using EC_KEY_publish_pk_der can crash if it receives specially crafted input data. This issue can be exploited when connecting to a mTower device with Android version 7.0 or lower, by sending a malformed EC_KEY_publish

Potential Applications

1. Denial of service
2. Information disclosure

Potential Impact of the Vulnerabilities


If an attacker could exploit these vulnerabilities, they could cause a denial of service. They also allow for arbitrary code execution on the mTower device.

Product details :

- CVE-2022-39828: EC_KEY_set_private_key mishandles the -1 value in the PVID parameter, leading to a crash when receiving that value. This results in a denial of service. EC_KEY_set_public_key does not handle the -1 value in the PKEY parameter, leading to a crash when receiving that value. This results in a denial of service.
- CVE-2018-4088: An integer overflow issue exists in the function ‘EC_KEY_set_curve’ due to improper validation of the input size, potentially leading to heap corruption. An application using EC_KEY_set_curve can crash if it receives specially crafted input data. This issue can be exploited when connecting to a mTower device with Android version 7.0 or lower, by sending a malformed EC_KEY_set_curve data to trigger a crash. This issue has been addressed by enabling non-executable stack memory.
- CVE-2018-4089: An out-of-bounds write issue exists in the function ‘EC_KEY_publish_pk_der’ due to improper validation of the input size, potentially leading to heap corruption. An application using EC _PUBLISH _PK _DER can crash if it receives specially crafted input data. This issue can be exploited when connecting to a mTower device with Android version 7.

Timeline

Published on: 09/05/2022 04:15:00 UTC
Last modified on: 09/08/2022 03:49:00 UTC

References