Heimdal
article featured image

Contents:

Researchers have discovered four Mediatek vulnerabilities that, if successfully exploited would have permitted malicious hackers to perform a series of actions like Android phone calls eavesdropping, commands execution and increased rights elevation. Three of the discovered flaws were fixed by the company along with the Mediatek Security Bulletin from last month and the fourth will be addressed by next month’s security update.

The Mediatek Vulnerabilities: More Details

The Mediatek vulnerabilities were identified by CheckPoint researchers and these have the following CVEs: CVE-2021-0661, CVE-2021-0662, and CVE-2021-0663, these are caused by an inaccurate bound check that triggers local privilege escalation through the possibility of an out of bound write and the fourth dubbed CVE-2021-0673 for which no details have been provided yet, these being expected next month.

How did the researchers discover these vulnerabilities?

According to their report, a DSP, which means Digital Signal Processor, is the name of the dedicated audio processing unit that is used in modern MediaTek processors. Its role is to work on better performance of the CPU, thus reducing loads, and also works on the performance and quality enhancement of the audio playback.

Android applications transmit audio processing requests to this unit by means of an IPC system and also a driver. That means that an unprivileged application can abuse the vulnerabilities, this leading to using the audio chip to run code or to the manipulation of request handlers.

What’s worth mentioning here is that the audio driver will not establish direct communication with this Digital Signal Processor, meaning that the system control processor (SCP) will receive IPI messages.

Since the DSP firmware has access to the audio data flow, a malformed IPI message could potentially be used by a local attacker to do privilege escalation, and theoretically eavesdrop on the mobile phone’s user.

Source

So the researchers reverse-engineered the Android API that was facilitating the audio communications, making them gain more knowledge about the system and eventually identifying the vulnerabilities under discussion.

What could do a hacker if he chains these Mediatek vulnerabilities? This could lead to cyberattacks based on local privilege escalation, targeting the DSP chip to hide there or run code on it, or sending messages to the DSP firmware.

IPI message

Source

Mitigation Measures Taken by Mediatek

According to BleepingComputer, Mediatek mitigated the CVE-2021-0673 exploitation by eliminating the possibility to use the parameter string command through the AudioManager. More details about this fourth flaw are expected in a bulletin that will be published next month, in December.

For CVE-2021-0661, CVE-2021-0662, CVE-2021-0663, patches were issued during October, so all users using Mediatek chips should implement these security updates as soon as possible to avoid malware infiltration or eavesdropping attacks.

Did you enjoy this article? Follow us on LinkedInTwitterFacebookYoutube, or Instagram to keep up to date with everything we post!

Author Profile

Andra Andrioaie

Security Enthusiast

linkedin icon

Hi! My name is Andra and I am a passionate writer interested in a variety of topics. I am curious about the cybersecurity world and what I want to achieve through what I write is to keep you curious too!

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE