CVE-2023-30722

Vulnerability

The vulnerability resides in the bc_tui trustlet of Samsung Blockchain Keystore prior to version 1.3.13.5 [1]. A protection mechanism failure allows a local attacker to bypass intended security controls and execute arbitrary code within the trustlet's context [1].

Exploitation

To exploit this vulnerability, an attacker must have local access to the device [1]. The exact steps are not detailed in the available references, but the condition is that the attacker can trigger the vulnerable code path in the trustlet without requiring additional authentication beyond local access [1].

Impact

Successful exploitation allows the attacker to execute arbitrary code within the context of the bc_tui trustlet [1]. This could lead to a full compromise of the trusted execution environment (TEE) trustlet, potentially allowing the attacker to access or manipulate sensitive data processed by the Blockchain Keystore, such as cryptographic keys [1]. The privilege level achieved is that of the trustlet itself, which typically has higher privileges than user-space applications [1].

Mitigation

Samsung has released version 1.3.13.5 of the Blockchain Keystore which fixes this vulnerability [1]. Users should update to this version or later through Samsung's security update process, which is typically delivered via the September 2023 Security Maintenance Release [1]. No workarounds are documented.