Vulnerability Description
The image_verify function in platform/msm_shared/image_verify.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not check whether a certain digest size is consistent with the RSA_public_decrypt API specification, which makes it easier for attackers to bypass boot-image authentication requirements via trailing data.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Little Kernel Project | Little Kernel Bootloader | - |
Related Weaknesses (CWE)
References
- http://source.android.com/security/bulletin/2016-07-01.html
- https://www.codeaurora.org/projects/security-advisories/incomplete-signature-parPatch
- http://source.android.com/security/bulletin/2016-07-01.html
- https://www.codeaurora.org/projects/security-advisories/incomplete-signature-parPatch
FAQ
What is CVE-2014-0973?
CVE-2014-0973 is a vulnerability with a CVSS score of 7.2 (HIGH). The image_verify function in platform/msm_shared/image_verify.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and ot...
How severe is CVE-2014-0973?
CVE-2014-0973 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-0973?
Check the references section above for vendor advisories and patch information. Affected products include: Little Kernel Project Little Kernel Bootloader.