NULL Pointer Dereference in Samsung mTower Affecting Cryptographic Operations
CVE-2022-39829

7.5HIGH

Key Information:

Vendor
Samsung
Status
Mtower
Vendor
CVE Published:
5 September 2022

Summary

A vulnerability in Samsung mTower, specifically in the aes256_encrypt function, arises from a NULL pointer dereference related to a missing validation of the return value from EVP_CIPHER_CTX_new. This issue affects versions of mTower up to 0.3.0 and can potentially lead to unexpected behavior during cryptographic operations. Developers should ensure that checks for the return value are properly implemented to mitigate this risk.

References

https://www.openssl.org/docs/manmaster/man3/EVP_CIPHER_CT...
x_refsource_MISC
https://github.com/Samsung/mTower/issues/75
x_refsource_MISC
https://github.com/Samsung/mTower/blob/18f4b592a8a973ce59...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.