CVE-2023-21510

Vulnerability

An out-of-bounds read vulnerability exists in the bc_tui trustlet of the Samsung Blockchain Keystore when processing the BC_TUI_CMD_UPDATE_SCREEN command. The issue affects versions prior to 1.3.12.1. The flaw occurs in the trusted UI (TUI) component, which handles secure display of user interface elements during sensitive operations such as PIN entry or transaction confirmation. The vulnerability allows reading memory outside the intended buffer bounds, potentially leaking sensitive data.

Exploitation

Exploitation requires local access to the device and the ability to send crafted TUI commands to the bc_tui trustlet. The attacker must have already achieved user-level code execution on the Android system or be an application with appropriate permissions to interact with the Samsung Blockchain Keystore service. By sending a malicious BC_TUI_CMD_UPDATE_SCREEN command with manipulated parameters (e.g., buffer size or offset), the trustlet reads memory beyond the allocated region and returns the data to the caller. No additional user interaction is needed beyond launching the malicious application.

Impact

Successful exploitation leads to an out-of-bounds read, allowing the attacker to read arbitrary memory from the trustlet's address space. This can disclose sensitive information such as cryptographic keys, PIN codes, or other private data processed within the secure TEE (Trusted Execution Environment) environment. The impact is limited to information disclosure, as the vulnerability does not enable code execution or privilege escalation beyond the trustlet context.

Mitigation

The vulnerability is fixed in Samsung Blockchain Keystore version 1.3.12.1. Users should update the Trustlet to the latest version available via Samsung's software update mechanism (Settings > Software update). The fix was included in the May 2023 security maintenance release [1]. There are no known workarounds for unpatched versions.