An attacker sending malformed miIO messages over WiFi to a Xiaomi Smart camera device can trigger the vulnerability described here. This report describes a secure protocol design issue, which leads to authentication bypass in the proprietary Xiaomi miIO protocol. The vulnerability described in this advisory affects a potentially wide range of Xiaomi Smart devices. This vulnerability has not yet been issued a public patch or advisory or assigned a CVE by the vendor despite repeated requests and a lapse of more than six months since the original vendor disclosure. Vulnerability Details For packets received in UDP port 54321, the miio_client binary verifies the MAC and then decrypts the received packet.

An attacker sending malformed miIO messages over WiFi to a Xiaomi Smart camera device can trigger the vulnerability described here. This report describes a use of cryptographically weak PRNG implementation issue, which leads to reliable prediction of cryptographic primitives used in the proprietary Xiaomi miIO protocol’s authentication and key agreement procedure. The vulnerability described in this advisory affects a potentially wide range of Xiaomi Smart devices. This vulnerability has not yet been issued a public patch or advisory or assigned a CVE by the vendor despite repeated requests and a lapse of more than six months since the original vendor disclosure.

An attacker sending a malformed miIO message over WiFi to a Xiaomi Smart camera device can trigger the vulnerability described here. This report describes a heap buffer overflow, which leads to remote code execution. The vulnerability described in this advisory affects a potentially wide range of Xiaomi Smart devices. This vulnerability has not yet been issued a public patch or advisory or assigned a CVE by the vendor despite repeated requests and a lapse of more than six months since the original vendor disclosure. Vulnerability Details Due to a flaw in the design of the handshake sequence, it is possible to complete the setup flow without knowledge of the setup code by replaying certain values that the camera sends.

An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here. The impact is stack buffer overflow in the baseband, triggered by malformed SDP data in VoLTE message such as SIP INVITE or MESSAGE request. The vulnerability described in this advisory affected a wide range of Mediatek devices. The January 2024 issue of the Mediatek Security Bulletin contains this vulnerability as CVE-2023-32874. Vulnerability Details When a SIP message contains SDP data, first the cc_call_unpack_sdpmsg routine is invoked to unpack the message bytes into an internal representation (sdp_message_struct). Later the codec information is extracted from this internal representation by calling several codec extracting functions.

An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here. The impact is Heap Overflow in the baseband, triggered by malformed multipart SIP messages containing SMS data. The vulnerability described in this advisory affected a wide range of Mediatek devices. The January 2024 issue of the Mediatek Security Bulletin contains this vulnerability as CVE-2023-32886. Vulnerability Details SIP supports the processing of multipart requests (as described in RFC 1341), where a single message can contain multiple body parts, with different content type. In these messages each body fragment is separated by a boundary tag, that is defined in the boundary parameter of the Content-Type MIME header.

An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here. The impact is unbounded recursion based stack overflow in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request. The vulnerability described in this advisory affected a wide range of Mediatek devices. The January 2024 issue of the Mediatek Security Bulletin contains this vulnerability as CVE-2023-32887. Vulnerability Details When a SIP message is unpacked by sip_msg_unpack, inet_msg_unpack_header is called to parse the various MIME headers. This function inet_msg_mime_skip_comment is reached from inet_msg_mime_skipws (and other inet_msg_skipcfws* functions) and it recursively seeks over the comments from the header in order to remove white-spaces around and comments from the MIME header values.

An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here. The impact is Heap Overflow in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request. The vulnerability described in this advisory affected a wide range of Mediatek devices. The January 2024 issue of the Mediatek Security Bulletin contains this vulnerability as CVE-2023-32888. Vulnerability Details When a SIP message is unpacked by sip_msg_unpack, cc_call_set_peer_addr is responsible for updating the session description object with the peer information. When the SIP message contains the P-Asserted-Identity header, the vulnerable cc_call_replace_double_quote function is called to replace double quotes with the <ascii_34> string.

An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here. The impact is intra-structure overflow in the baseband, triggered by malformed SDP data in VoLTE message such as SIP INVITE or MESSAGE request. The vulnerability described in this advisory affected a wide range of Mediatek devices. The January 2024 issue of the Mediatek Security Bulletin contains this vulnerability as CVE-2023-32889. Vulnerability Details When a SIP message contains SDP data, first the cc_call_unpack_sdpmsg routine is invoked to unpack the message bytes into an internal representation (sdp_message_struct). Based on that, later, the session object’s des_audio structure is populated with the AMR/AMR-WB codec info.

We have identified a new stack buffer overflow vulnerability in Unisoc’s TrustZone implementation. The vulnerability can be exploited to achieve arbitrary code execution in the DRM Trustlet’s runtime. The vulnerability we are disclosing in this advisory affected a wide range of Unisoc devices, including phones on the newest chipsets. The August 2023 issue of the Unisoc Security Bulletin contains this vulnerability as CVE-2023-33913. Vulnerability Details The Trusted Execution Environment (TEE) implementation of Unisoc Tiger chipsets on certain devices uses a modified version of Google’s TEE implementation called Trusty. Trusty is an open-source trusted OS based on Little Kernel. The kernel is running in 64bit mode, however, the trustlets are 32bit ELF images baked into the TOS binary together with the kernel image.

An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here. This report describes an unbounded recursion issue, which leads to stack overflow. (Note: the issue is stack overflow not stack buffer overtflow, i.e. an out-of-bounds write beyond a stack frame’s end). The vulnerability described in this advisory affected a wide range of Mediatek devices. This vulnerability is assigned CVE-2025-20725. Vulnerability Details The XML parser code executes unbounded recursions. In addition, it lacks early checking of the validity of the XML against the expected schema, which might otherwise act as an upper bound for recursion for most XML documents.