CVE-2023-20756

Vulnerability

In the keyinstall component of MediaTek chipsets, an integer overflow vulnerability (CWE-190) can lead to an out-of-bounds write. The affected chipsets include MT6580, MT6731, MT6735, MT6737, MT6739, MT6753, MT6757, MT6757C, MT6757CD, MT6757CH, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, and others [1]. The vulnerability is present in the keyinstall functionality and requires System execution privileges to trigger.

Exploitation

An attacker with System execution privileges can exploit the integer overflow to cause an out-of-bounds write. No user interaction is required. The attacker would need to have local access to the device and the ability to execute code with System privileges. The exact sequence of steps is not detailed in the available references, but the integer overflow in keyinstall can be triggered to write beyond allocated memory boundaries.

Impact

Successful exploitation leads to local escalation of privilege (EoP) within the System context. The out-of-bounds write could allow the attacker to overwrite critical kernel or system data, potentially gaining elevated privileges or causing a denial of service. The impact is limited to the device's local environment.

Mitigation

MediaTek has released a patch (ALPS07510064) for this issue, which is included in the July 2023 security bulletin [1]. Device OEMs were notified at least two months prior to publication. Users should apply the latest firmware updates from their device manufacturer. No workaround is provided; updating to a patched version is the recommended mitigation.