The Synopsys Software Integrity Group is now Black Duck®. Learn More

close search bar

Sorry, not available in this language yet

close language selection
  • English
  • 日本語

CyRC Vulnerability Advisory: CVE-2020-7958 biometric data disclosure vulnerability in OnePlus 7 Pro Android phone

Black Duck Editorial Staff

Apr 13, 2020 / 1 min read

Table of Contents

Overview

CVE-2020-7958 refers to a vulnerability that can lead to the disclosure of user biometric data in OnePlus 7 Pro Android phones. This vulnerability allows an attacker with root privileges to retrieve bitmap fingerprint images from the Trusted Execution Environment (TEE). Software builds prior to 10.0.3.GM21BA released on Jan. 7, 2020, are affected. Read the CVE entry.

Impact

The vulnerability allows a privileged user (root) in the Rich Execution Environment (REE) to retrieve bitmap fingerprint images from the fingerprint sensor that should only be accessible in the TEE.

CVSS 3.0 vector:

AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N/E:F/RL:O/RC:C/CR:H/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X

CVSS 3.0 overall score: 6.6

CWEs: CWE-215, CWE-489

Technical details

After the attacker obtains root privileges in the REE, it becomes possible to communicate directly with the factory testing APIs exposed by Trusted Applications (TAs) running in the TEE. The attacker can invoke a sequence of commands to obtain raw fingerprint images in the REE.

Remediation

Users should update the software build of their OnePlus 7 Pro devices to the latest available version. OnePlus Technology fixed this vulnerability in the 10.0.3.GM21BA software build.

Product description

OnePlus 7 Pro is a OnePlus flagship Android phone from 2019. More information about the device is available from the vendor’s website.

Discovery credit

A team of researchers from the Black Duck Cybersecurity Research Center (CyRC) in London discovered this issue:

  • Georgi Boiko
  • Artem Gonchar
  • Andrew Lee-Thorp

Black Duck would like to thank the OnePlus security team for their swift and active engagement in addressing this vulnerability.

Timeline

  • July 10, 2019: Black Duck consultants discover the issue.
  • Aug. 14, 2019: Black Duck engages US-CERT.
  • Oct. 7, 2019: Black Ducks engages OnePlus.
  • Nov. 13, 2019: Black Duck consultants test a vendor patch and confirm issue resolution.
  • Jan. 7, 2020: OnePlus publishes the firmware update.
  • April 14, 2020: CyRC publishes this advisory.

Continue Reading

Black Duck takes flight

Black Duck takes flight

Jason Schmitt
By Jason Schmitt

Oct 01, 2024 / 2 min read

Tags: Security News & Trends
A new identity for the Synopsys Software Integrity Group

A new identity for the Synopsys Software Integrity Group

Jason Schmitt
By Jason Schmitt

Aug 12, 2024 / 2 min read

Tags: Security News & Trends
CyRC Vulnerability Advisory: CVE-2024-5184s prompt injection in EmailGPT service

CyRC Vulnerability Advisory: CVE-2024-5184s prompt injection in EmailGPT service

Mohammed Alshehri
By Mohammed Alshehri

Jun 04, 2024 / 1 min read

Tags: Security News & Trends, CyRC

Explore Topics

Agile, CI/CD
AppSec Best Practices
Artificial Intelligence
Automotive
Build Security into DevOps
Cloud Security
Compliance
Container Security
CyRC
DevSecOps
DAST
Financial Services
Fuzzing
Healthcare
IAST
Internet of Things
M&A
Manage Security Risks
Medical Devices
Mobile
Orchestration & Correlation
OSS License Compliance
Pen Testing
Program Strategy & Planning
Public Sector
SAST
SCA
Secure the Software Supply Chain
Security News & Trends
Threat Modeling
Threat & Risk Assessment
Training
Web Application Security
©2024 Black Duck Software, Inc. All Rights Reserved