CVE-2016-10398
Last modified
CVE-2016-10398 is a vulnerability of currently unknown severity. Android 6.0 has an authentication bypass for attackers with root and physical access. Cryptographic authentication tokens (AuthTokens) used by the Trusted Execution Environment (TEE) are protected by a weak challenge. EPSS estimates a 0.19% chance of exploitation in the next 30 days.
Description
Android 6.0 has an authentication bypass for attackers with root and physical access. Cryptographic authentication tokens (AuthTokens) used by the Trusted Execution Environment (TEE) are protected by a weak challenge. This allows adversaries to replay previously captured responses and use the TEE without authenticating. All apps using authentication-gated cryptography are vulnerable to this attack, which was confirmed on the LG Nexus 5X.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Android | 6.0 |
References
- https://homepages.staff.os3.nl/~delaat/rp/2015-2016/p30/report.pdfTechnical Description, Third Party Advisory
- https://homepages.staff.os3.nl/~delaat/rp/2015-2016/p30/report.pdfTechnical Description, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2016-10398?
How severe is CVE-2016-10398?
How do I fix CVE-2016-10398?
Are you affected by CVE-2016-10398?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST