Ubuntu
libfprint package

Found hard-coded secret-key for challenge-response on libfprint

Bug #1818936 reported by Seong-Joong Kim
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libfprint
Fix Released
Unknown
libfprint (Ubuntu)
Invalid
High
Unassigned

Bug Description

Dear all,

We need to fix hard-coded symmetric-key for challenge-response authentication on `uru4000 driver`.

The driver uses a symmetric-key technique to encrypt the challenge data using AES encryption algorithm for authentication.

"2nd generation MS devices added an AES-based challenge/response authentication scheme, where the device challenges the authenticity of the driver."
link: https://gitlab.freedesktop.org/libfprint/libfprint/blob/master/libfprint/drivers/uru4000.c#L348

Unfortunately, the driver creates risk by exposing a hard-coded secret key as follows:

/* For 2nd generation MS devices */
static const unsigned char crkey[] = {
 0x79, 0xac, 0x91, 0x79, 0x5c, 0xa1, 0x47, 0x8e,
 0x98, 0xe0, 0x0f, 0x3c, 0x59, 0x8f, 0x5f, 0x4b,
};
link: https://gitlab.freedesktop.org/libfprint/libfprint/blob/master/libfprint/drivers/uru4000.c#L150

If the library wants to use challenge-response authentication, we need to introduce a new key distribution scheme also.

Furthermore, I don't know why the library is really necessary to use it such a resource constrained environment.

Lastly, is it a kind of CWE-321: Use of Hard-coded Cryptographic Key? (see https://cwe.mitre.org/data/definitions/321.html)

Many thanks!!

Seong-Joong Kim (sungjungk)
information type: Public → Public Security
Revision history for this message
Sebastien Bacher (seb128) wrote :

Thank you for your bug report, could you maybe report that upstream? We don't have any active maintainer for that stack in Ubuntu and upstream is better placed to respond to the issues you are raising

Changed in libfprint (Ubuntu):
importance: Undecided → High
Revision history for this message
Seong-Joong Kim (sungjungk) wrote :

Okay! I just reported it to upstream.

Revision history for this message
Sebastien Bacher (seb128) wrote :

Can you share the url?

Revision history for this message
Seong-Joong Kim (sungjungk) wrote :

It is https://gitlab.freedesktop.org/libfprint/libfprint/issues/151

Revision history for this message
Sebastien Bacher (seb128) wrote :

Thanks

Changed in libfprint (Ubuntu):
status: New → Triaged
Bug Watch Updater (bug-watch-updater)
Changed in libfprint:
status: Unknown → New
Bug Watch Updater (bug-watch-updater)
Changed in libfprint:
status: New → Fix Released
Revision history for this message
Sebastien Bacher (seb128) wrote :

Conclusion from the upstream bug is that it needs to be fixed in the hardware, closing

Changed in libfprint (Ubuntu):
status: Triaged → Invalid
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.