GSD-2023-46139

Vulnerability from gsd - Updated: 2023-12-13 01:20
Details
KernelSU is a Kernel based root solution for Android. Starting in version 0.6.1 and prior to version 0.7.0, if a KernelSU installed device is infected with a malware whose app signing block specially constructed, it can take over root privileges on the device. The vulnerable verification logic actually obtains the signature of the last block with an id of `0x7109871a`, while the verification logic during Android installation is to obtain the first one. In addition to the actual signature upgrade that has been fixed (KSU thought it was V2 but was actually V3), there is also the problem of actual signature downgrading (KSU thought it was V2 but was actually V1). Find a condition in the signature verification logic that will cause the signature not to be found error, and KernelSU does not implement the same conditions, so KSU thinks there is a V2 signature, but the APK signature verification actually uses the V1 signature. This issue is fixed in version 0.7.0. As workarounds, keep the KernelSU manager installed and avoid installing unknown apps.
Aliases
Aliases
CVE-2023-46139
To clipboard 

{
  "GSD": {
    "alias": "CVE-2023-46139",
    "id": "GSD-2023-46139"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-46139"
      ],
      "details": "KernelSU is a Kernel based root solution for Android. Starting in version 0.6.1 and prior to version 0.7.0, if a KernelSU installed device is infected with a malware whose app signing block specially constructed, it can take over root privileges on the device. The vulnerable verification logic actually obtains the signature of the last block with an id of `0x7109871a`, while the verification logic during Android installation is to obtain the first one. In addition to the actual signature upgrade that has been fixed (KSU thought it was V2 but was actually V3), there is also the problem of actual signature downgrading (KSU thought it was V2 but was actually V1). Find a condition in the signature verification logic that will cause the signature not to be found error, and KernelSU does not implement the same conditions, so KSU thinks there is a V2 signature, but the APK signature verification actually uses the V1 signature. This issue is fixed in version 0.7.0. As workarounds, keep the KernelSU manager installed and avoid installing unknown apps.",
      "id": "GSD-2023-46139",
      "modified": "2023-12-13T01:20:52.693214Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-46139",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "KernelSU",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 0.6.1, \u003c 0.7.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "tiann"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "KernelSU is a Kernel based root solution for Android. Starting in version 0.6.1 and prior to version 0.7.0, if a KernelSU installed device is infected with a malware whose app signing block specially constructed, it can take over root privileges on the device. The vulnerable verification logic actually obtains the signature of the last block with an id of `0x7109871a`, while the verification logic during Android installation is to obtain the first one. In addition to the actual signature upgrade that has been fixed (KSU thought it was V2 but was actually V3), there is also the problem of actual signature downgrading (KSU thought it was V2 but was actually V1). Find a condition in the signature verification logic that will cause the signature not to be found error, and KernelSU does not implement the same conditions, so KSU thinks there is a V2 signature, but the APK signature verification actually uses the V1 signature. This issue is fixed in version 0.7.0. As workarounds, keep the KernelSU manager installed and avoid installing unknown apps."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-863",
                "lang": "eng",
                "value": "CWE-863: Incorrect Authorization"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/tiann/KernelSU/security/advisories/GHSA-86cp-3prf-pwqq",
            "refsource": "MISC",
            "url": "https://github.com/tiann/KernelSU/security/advisories/GHSA-86cp-3prf-pwqq"
          },
          {
            "name": "https://github.com/tiann/KernelSU/commit/d24813b2c3738f2f9bd762932141cadd948c354f",
            "refsource": "MISC",
            "url": "https://github.com/tiann/KernelSU/commit/d24813b2c3738f2f9bd762932141cadd948c354f"
          },
          {
            "name": "https://drive.google.com/drive/folders/1XdYCCAhC_mkt1k1IyUiwcgFsuOFvwNRl",
            "refsource": "MISC",
            "url": "https://drive.google.com/drive/folders/1XdYCCAhC_mkt1k1IyUiwcgFsuOFvwNRl"
          },
          {
            "name": "https://github.com/tiann/KernelSU/blob/344c08bb79ba12b692016750cda363f9f3500182/kernel/apk_sign.c#L179C32-L179C32",
            "refsource": "MISC",
            "url": "https://github.com/tiann/KernelSU/blob/344c08bb79ba12b692016750cda363f9f3500182/kernel/apk_sign.c#L179C32-L179C32"
          },
          {
            "name": "https://github.com/tiann/KernelSU/blob/344c08bb79ba12b692016750cda363f9f3500182/kernel/apk_sign.c#L188",
            "refsource": "MISC",
            "url": "https://github.com/tiann/KernelSU/blob/344c08bb79ba12b692016750cda363f9f3500182/kernel/apk_sign.c#L188"
          },
          {
            "name": "http://aospxref.com/android-14.0.0_r2/xref/frameworks/base/core/java/android/util/apk/ApkSigningBlockUtils.java#770",
            "refsource": "MISC",
            "url": "http://aospxref.com/android-14.0.0_r2/xref/frameworks/base/core/java/android/util/apk/ApkSigningBlockUtils.java#770"
          },
          {
            "name": "http://aospxref.com/android-14.0.0_r2/xref/frameworks/base/core/java/android/util/apk/ApkSigningBlockUtils.java#783",
            "refsource": "MISC",
            "url": "http://aospxref.com/android-14.0.0_r2/xref/frameworks/base/core/java/android/util/apk/ApkSigningBlockUtils.java#783"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-86cp-3prf-pwqq",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:kernelsu:kernelsu:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "0.7.0",
                "versionStartIncluding": "0.6.1",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2023-46139"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "KernelSU is a Kernel based root solution for Android. Starting in version 0.6.1 and prior to version 0.7.0, if a KernelSU installed device is infected with a malware whose app signing block specially constructed, it can take over root privileges on the device. The vulnerable verification logic actually obtains the signature of the last block with an id of `0x7109871a`, while the verification logic during Android installation is to obtain the first one. In addition to the actual signature upgrade that has been fixed (KSU thought it was V2 but was actually V3), there is also the problem of actual signature downgrading (KSU thought it was V2 but was actually V1). Find a condition in the signature verification logic that will cause the signature not to be found error, and KernelSU does not implement the same conditions, so KSU thinks there is a V2 signature, but the APK signature verification actually uses the V1 signature. This issue is fixed in version 0.7.0. As workarounds, keep the KernelSU manager installed and avoid installing unknown apps."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-863"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/tiann/KernelSU/blob/344c08bb79ba12b692016750cda363f9f3500182/kernel/apk_sign.c#L188",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/tiann/KernelSU/blob/344c08bb79ba12b692016750cda363f9f3500182/kernel/apk_sign.c#L188"
            },
            {
              "name": "https://drive.google.com/drive/folders/1XdYCCAhC_mkt1k1IyUiwcgFsuOFvwNRl",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://drive.google.com/drive/folders/1XdYCCAhC_mkt1k1IyUiwcgFsuOFvwNRl"
            },
            {
              "name": "https://github.com/tiann/KernelSU/security/advisories/GHSA-86cp-3prf-pwqq",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/tiann/KernelSU/security/advisories/GHSA-86cp-3prf-pwqq"
            },
            {
              "name": "https://github.com/tiann/KernelSU/blob/344c08bb79ba12b692016750cda363f9f3500182/kernel/apk_sign.c#L179C32-L179C32",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/tiann/KernelSU/blob/344c08bb79ba12b692016750cda363f9f3500182/kernel/apk_sign.c#L179C32-L179C32"
            },
            {
              "name": "https://github.com/tiann/KernelSU/commit/d24813b2c3738f2f9bd762932141cadd948c354f",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/tiann/KernelSU/commit/d24813b2c3738f2f9bd762932141cadd948c354f"
            },
            {
              "name": "http://aospxref.com/android-14.0.0_r2/xref/frameworks/base/core/java/android/util/apk/ApkSigningBlockUtils.java#783",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "http://aospxref.com/android-14.0.0_r2/xref/frameworks/base/core/java/android/util/apk/ApkSigningBlockUtils.java#783"
            },
            {
              "name": "http://aospxref.com/android-14.0.0_r2/xref/frameworks/base/core/java/android/util/apk/ApkSigningBlockUtils.java#770",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "http://aospxref.com/android-14.0.0_r2/xref/frameworks/base/core/java/android/util/apk/ApkSigningBlockUtils.java#770"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 5.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
            "version": "3.1"
          },
          "exploitabilityScore": 1.5,
          "impactScore": 3.7
        }
      },
      "lastModifiedDate": "2023-11-14T19:59Z",
      "publishedDate": "2023-10-31T00:15Z"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.