Floragasse 7 – 5th floor, 1040 Vienna
Subscribe to our Newsletter

News

SBA Security Advisory – Mediatek Modem – Selection of less-secure algorithm during negotiation ‘algorithm downgrade’ (CVE-2024-20069)

Vulnerability Overview

In the modem, the client can be forced into accepting a less secure key exchange algorithm during the VoWiFi IKE handshake due to a missing downgrade check on the proposed Diffie-Hellman (DH) group. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01286330; Issue ID: MSV-1430.

Affected Chipsets: MT6833, MT6853, MT6855, MT6873, MT6875, MT6875T, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893, MT8675, MT8771, MT8791T, MT8797.

Affected Software Version: Modem NR15.

  • Type of Vulnerability: Active Downgrade Attack
  • Fixed in Version: Android Security Patch Level (SPL) 2024-06-01
  • CVE ID: CVE-2024-20069
  • CVSS Vector: CVSS v3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  • CVSS Base Score: 7.1 (High)

The vulnerability has also been assigned a CVD number by the GSMA and is tracked as CVD-2024-0089.

Recommended Countermeasure

We recommend to update the Smartphone to Android Security Patch Level (SPL) 2024-06-01 or later. For further details, see full paper.

Links

Full Paper
MediaTek June 2024 Product Security Bulletin
Android Security Bulletin
Github Repository

Credits

Gabriel Gegenhuber (SBA Research, Universität Wien)
Florian Holzbauer (Universität Wien)
Philipp Frenzel (SBA Research)
Edgar Weippl (Universität Wien, CDL-SQI)
Adrian Dabrowski (CISPA)

Mediatek Acknowledgement
Android Acknowledgement