CVE-2016-10338

Vulnerability

The issue is in RPMB (Replay Protected Memory Block) processing in all Android releases from CAF (Code Aurora Forum) using the Linux kernel. The vulnerability is present in the kernel's handling of RPMB requests, which are used for secure storage operations. Affected versions include all Android releases from CAF using the Linux kernel as of June 2017 [1].

Exploitation

An attacker needs to have local access and the ability to execute arbitrary code in the context of the kernel. The exploitation involves sending crafted RPMB commands that trigger the vulnerability. The exact sequence of steps is not detailed in the available references, but it is likely achieved through a malicious application that exploits a missing bounds check or similar flaw [1].

Impact

Successful exploitation leads to elevation of privilege, allowing an attacker to gain kernel-level access. This enables full control over the device's secure storage, meaning the attacker can read, modify, or delete RPMB data. This compromises the confidentiality, integrity, and availability of secure data, such as DRM keys or device credentials [1].

Mitigation

The fix was included in the Android Security Bulletin dated June 1, 2017. Users should apply the security update to their devices. No workaround is provided, as the fix requires a kernel update [1].