CVE-2020-7958 in 7 Pro
Summary
by MITRE
An issue was discovered on OnePlus 7 Pro devices before 10.0.3.GM21BA. The firmware was found to contain functionality that allows a privileged user (root) in the Rich Execution Environment (REE) to obtain bitmap images from the fingerprint sensor because of Leftover Debug Code. The issue is that the Trusted Application (TA) supports an extended number of commands beyond what is needed to implement a fingerprint authentication system compatible with Android. An attacker who is in the position to send commands to the TA (for example, the root user) is able to send a sequence of these commands that will result in the TA sending a raw fingerprint image to the REE. This means that the Trusted Execution Environment (TEE) no longer protects identifiable fingerprint data from the REE.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/19/2024
The vulnerability identified as CVE-2020-7958 represents a critical security flaw in OnePlus 7 Pro devices running firmware versions prior to 10.0.3.GM21BA. This issue stems from leftover debug code embedded within the device's firmware that was not properly removed before the final release. The vulnerability specifically affects the Rich Execution Environment which operates alongside the Trusted Execution Environment in mobile devices, creating a dangerous overlap in security boundaries. The presence of debug functionality within production firmware represents a fundamental failure in the security testing and code review processes, as such code should never be present in final builds according to industry best practices.
The technical implementation of this vulnerability involves the Trusted Application (TA) that handles fingerprint authentication within the Trusted Execution Environment. This TA was designed to support a broader range of commands than necessary for basic fingerprint authentication, including functionality that was intended for debugging purposes. When a root user in the Rich Execution Environment sends specific command sequences to the TA, the system responds by transmitting raw fingerprint image data to the REE. This represents a complete breakdown of the security isolation that the TEE is designed to maintain, as the sensitive biometric data that should remain protected within the secure environment becomes accessible to the potentially compromised REE. The vulnerability is classified under CWE-489 as "Leftover Debug Code" which is a well-documented weakness that frequently leads to security breaches in embedded systems.
The operational impact of this vulnerability is severe and multifaceted. An attacker with root access to the device can exploit this flaw to extract complete fingerprint images, which can then be used for unauthorized authentication across systems that rely on fingerprint data. This creates a significant risk for users who depend on fingerprint authentication for device security, financial transactions, and access to sensitive applications. The vulnerability essentially transforms the TEE from a protective barrier into a data leak channel, undermining the fundamental security model of mobile devices. According to ATT&CK framework, this vulnerability maps to T1547.005 (Server Software Component) and T1070.004 (File Deletion) as attackers can leverage this to extract sensitive biometric data and potentially manipulate system components.
The mitigation strategy for CVE-2020-7958 requires immediate firmware updates to remove the leftover debug functionality and to ensure proper code review processes are implemented before device releases. OnePlus has addressed this vulnerability in firmware version 10.0.3.GM21BA, which demonstrates the importance of maintaining secure development practices throughout the software lifecycle. Organizations should also implement comprehensive security testing procedures that include thorough code audits to identify and remove any debug or testing functionality before production deployment. This vulnerability highlights the critical need for adherence to security standards such as those outlined in NIST SP 800-160 for secure system development, particularly in the context of mobile device security where the TEE is expected to provide strong isolation guarantees. The incident underscores the importance of regular security assessments and the principle of least privilege in mobile security architecture.