Exploitalert - Database of Exploits

Java Card VM Memory Safety

CVE	Category	Price	Severity
CVE-2021-2352	CWE-119	Not specified	High

Author	Risk	Exploitation Type	Date
Unknown	High	Local	2019-03-21

CPE
cpe:cpe:/a:java:card_vm

CVSS	EPSS	EPSSP
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N	0.02192	0.50148

CVSS vector description

Metric	Value	Metric Description	Value Description
Attack vector	Local	AV	The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document).
Attack Complexity	Low	AC	The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Attack Requirements	Present	AT	The successful attack depends on the presence of specific deployment and execution conditions of the vulnerable system that enable the attack. These include: A race condition must be won to successfully exploit the vulnerability. The successfulness of the attack is conditioned on execution conditions that are not under full control of the attacker. The attack may need to be launched multiple times against a single target before being successful. Network injection. The attacker must inject themselves into the logical network path between the target and the resource requested by the victim (e.g. vulnerabilities requiring an on-path attacker).
Privileges Required	Low	PR	The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
User Interaction	None	UI	The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Confidentiality Impact to the Vulnerable System	High	VC	There is a total loss of confidentiality, resulting in all information within the Vulnerable System being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server.
Availability Impact to the Vulnerable System	High	VI	There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the Vulnerable System. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the Vulnerable System.
Availability Impact to the Vulnerable System	High	VA	There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the Vulnerable System; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the Vulnerable System (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).
Subsequent System Confidentiality Impact	Negligible	SC	There is no loss of confidentiality within the Subsequent System or all confidentiality impact is constrained to the Vulnerable System.
Integrity Impact to the Subsequent System	None	SI	There is no loss of integrity within the Subsequent System or all integrity impact is constrained to the Vulnerable System.
Availability Impact to the Subsequent System	None	SA	There is no loss of availibility within the Subsequent System or all availibility impact is constrained to the Vulnerable System.

https://cxsecurity.com/ascii/WLB-2019030187

Java Card VM Memory Safety

Hello All, We discovered multiple security vulnerabilities in reference implementation of Java Card technology [1] from Oracle used in financial, government, transportation and telecommunication sectors among others. According to Oracle, "Java Card technology provides a secured environment for applications that run on smart cards and other trusted devices with limited memory and processing capabilities. With close to six billion Java Card-based devices deployed each year, Java Card is already a leading software platform to run security services on smart cards and secure elements, which are chips used to protect smartphones, banking cards and government services" [2]. Unfortunately, due to certain architectural choices from the past, it's hard to perceive Java Card technology in terms of security. There are ways for malformed applications loaded into a vulnerable Java Card to easily break memory safety. Such a breach directly leads to the security compromise of a Java Card VM, applet firewall breach and jeopardizes security of co-existing applications. In some cases, whole card environment can be compromised, but that's dependant on the underlying OS / processor architecture (i.e. presence of the flat address space, isolation between tasks). We were able to verify 18 of the issues in the environment of the most recent Java Card 3.1 software from Jan 2019 (Oracle Java Card VM reference implementation in the form of a simulator). One issue was specific to Gemalto [3] cards. These cards could not be immediately exploited with the use of our "favorite" issue found in Oracle reference implementation, so there was a need to find and use another one (which we did). As for the impact, the vulnerabilities found make it possible to break memory safety of the underlying Java Card VM. As a result, full access to smartcard memory could be achieved, applet firewall could be broken or native code execution could be gained. We verified this impact for the following Gemalto SIM cards: - GemXplore 3G V3.0-256K - 3G USIMERA Prime While none of the exploit codes can successfully pass off-card verification process, the vulnerabilities should be still perceived in terms of a significant weak point of given Java Card VM implementation. The reasons are the following: - the vulnerabilities could be used to compromise security of trusted chips used by financial, government and telecommunication sectors, this paves the way for their in-depth analysis [4], which can result in a discovery of far more serious issues, - Java Card thrives to provide secure environment for multiple applications (applets), as such no malicious application should be able to compromise security of the other one, - split verification process is a known architectural / design weakness of Java Card, the environment should at least provide memory safety if type safety cannot be guaranteed (type safety is a direct consequence of memory safety), - the nature of the issues undermine trust to Java Card as a secure environment and software platform eligible to run security services on smart cards and secure elements. It should be emphasized that successful loading of a malicious applet into target card requires either knowledge of the keys or existence of some other means facilitating it (a vulnerability in card OS, installed applications, exposed interfaces, etc.). Such scenarios cannot be excluded though. On Mar 20 2019, Security Explorations sent vulnerability notices to Oracle and Gemalto containing detailed information about discovered vulnerabilities. Thank you. -- Best Regards, Adam Gowdiak --------------------------------------------- Security Explorations http://www.security-explorations.com "We bring security research to a new level" --------------------------------------------- References: [1] JAVA CARD TECHNOLOGY https://www.oracle.com/technetwork/java/embedded/javacard/overview/index.html [2] Oracle Java Card Boosts Security for IoT Devices at the Edge https://www.oracle.com/corporate/pressrelease/oracle-java-card-boosts-security-011619.html [3] Gemalto https://www.gemalto.com/ [4] Reverse engineering Java SIM card http://www.security-explorations.com/materials/javasim-reversing.pdf

Impressum