SBA Security Advisory – Mediatek Modem – Selection of less-secure algorithm during negotiation ‘algorithm downgrade’ (CVE-2024-20069)
Vulnerability Overview
In the modem, the client can be forced into accepting a less secure key exchange algorithm during the VoWiFi IKE handshake due to a missing downgrade check on the proposed Diffie-Hellman (DH) group. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01286330; Issue ID: MSV-1430.
Affected Chipsets: MT6833, MT6853, MT6855, MT6873, MT6875, MT6875T, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893, MT8675, MT8771, MT8791T, MT8797.
Affected Software Version: Modem NR15.
- Type of Vulnerability: Active Downgrade Attack
- Fixed in Version: Android Security Patch Level (SPL) 2024-06-01
- CVSS Vector: CVSS v3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- CVSS Base Score: 7.1 (High)
The vulnerability has also been assigned a CVD number by the GSMA and is tracked as CVD-2024-0089.
Recommended Countermeasure
We recommend to update the Smartphone to Android Security Patch Level (SPL) 2024-06-01 or later. For further details, see full paper.
Links
Full Paper
MediaTek June 2024 Product Security Bulletin
Android Security Bulletin
Github Repository
Credits
Gabriel Gegenhuber (SBA Research, Universität Wien)
Florian Holzbauer (Universität Wien)
Philipp Frenzel (SBA Research)
Edgar Weippl (Universität Wien, CDL-SQI)
Adrian Dabrowski (CISPA)