CVE-2023-20754

Vulnerability

In the keyinstall component of MediaTek chipsets, an integer overflow (CWE-190) can lead to an out-of-bounds write. The vulnerability exists in multiple chipsets including MT6580, MT6731, MT6735, MT6737, MT6739, MT6753, MT6757, MT6757C, MT6757CD, MT6757CH, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, and others [1]. Exploitation requires System execution privileges, and no user interaction is needed. The issue is identified by Patch ID ALPS07563028 and Issue ID ALPS07588343.

Exploitation

An attacker with System execution privileges can trigger the integer overflow in keyinstall, causing an out-of-bounds write. The exact sequence of operations is not publicly detailed, but the overflow occurs during key installation processing. No user interaction is required, and the attacker can execute the exploit locally on the device.

Impact

Successful exploitation leads to local escalation of privilege (EoP). Although the attacker already has System execution privileges, the out-of-bounds write can corrupt kernel memory or other critical structures, potentially allowing full compromise of the device or access to sensitive data [1].

Mitigation

MediaTek has provided patches to device OEMs as part of the July 2023 security bulletin [1]. The patch ID is ALPS07563028. OEMs are expected to incorporate the fix into their firmware updates. Users should apply updates from their device manufacturer when available. No workaround is documented, and the vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.