libfprint

Found broken a feature for fingerprint image obfuscation

Bug #1819406 reported by Seong-Joong Kim on 2019-03-11

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	libfprint	Fix Released	Unknown	auto-gitlab.freedesktop.org-libfprint-fprintd #16
	libfprint (Ubuntu)	Won't Fix	Low	Unassigned

Bug Description

Dear all,

In this package, a random seed is used for generation key for obfuscating a fingerprint image in uru4000 driver.
Unfortunately, it seems that the seed always exhibits the same sequence of numbers each time since it is generated from rand() in libc by default.
Then I reported this issue to the upstream with the patch.

However, the maintainer insists that the obfuscation-feature can be broken since the key for encryption is composed of just 4-bytes length.
Thus, there is no need to patch about random seed anyway.
It's pretty weird to say that.

Would it be all right if I leave this as it is?

Many thanks!!

CVE References

Revision history for this message

Sebastien Bacher (seb128) wrote on 2019-03-11:

#1

Thank you for your bug report, do you have any pointer to the discuss with the upstream maintainer?

Revision history for this message

Sebastien Bacher (seb128) wrote on 2019-03-11:

#2

Thanks, it's https://gitlab.freedesktop.org/libfprint/fprintd/issues/16

Changed in libfprint (Ubuntu):
importance:	Undecided → High
status:	New → Triaged

Revision history for this message

Sebastien Bacher (seb128) wrote on 2019-03-11:

#3

sorry, commented on the wrong bug

no longer affects:	libfprint
Changed in libfprint (Ubuntu):
status:	Triaged → New

Revision history for this message

Seong-Joong Kim (sungjungk) wrote on 2019-03-11:

#4

Could you check the following link?

https://gitlab.freedesktop.org/libfprint/libfprint/merge_requests/47

Revision history for this message

Seong-Joong Kim (sungjungk) wrote on 2019-03-14:

#5

What do you think of this issue?

Revision history for this message

Seong-Joong Kim (sungjungk) wrote on 2019-03-15:

#6

It seems that the uru4000 driver is affected by a weak? or broken? obfuscation feature, allowing MITM attackers to discover user's precious fingerprint images.

information type:

Public → Public Security

Revision history for this message

Seong-Joong Kim (sungjungk) wrote on 2019-03-21:

#7

Please check the following PoC.

https://github.com/sungjungk/fp-img-deobfuscator

Revision history for this message

Seong-Joong Kim (sungjungk) wrote on 2019-03-22:

#8

It is demo video: https://www.youtube.com/watch?v=Grirez2xeas

Marc Deslauriers (mdeslaur) on 2019-06-28

Changed in libfprint (Ubuntu):
status:	New → Confirmed
importance:	High → Low
importance:	Low → High
importance:	High → Low

Bug Watch Updater (bug-watch-updater) on 2019-06-28

Changed in libfprint:
status:	Unknown → New

Revision history for this message

Seong-Joong Kim (sungjungk) wrote on 2019-07-27:

#9

CVE-2019-13604 and CVE-2019-13621 have been assigned.
Please check the following PoC:
https://github.com/sungjungk/fp-scanner-hacking
https://github.com/sungjungk/fp-img-key-crack

Bug Watch Updater (bug-watch-updater) on 2020-08-21

Changed in libfprint:
status:	New → Fix Released

Revision history for this message

Marco Trevisan (Treviño) (3v1n0) wrote on 2020-11-25:

#10

As per upstream decision...

Changed in libfprint (Ubuntu):
status:	Confirmed → Won't Fix

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

auto-gitlab.freedesktop.org-libfprint-fprintd #16
[closed] Edit

Bug watches keep track of this bug in other bug trackers.