CVE-2024-20081: Out-of-bounds write in gnss, response by Mediatek security advisory. (2nd July 2024)

Preface: GPS traditionally refers to the North American Global Positioning System, or satellite positioning system. GNSS is the term for the international multi-constellation satellite system. Therefore, GNSS typically includes GPS, GLONASS, Baidu, Galileo, and any other constellation system.

Background: GNSS positioning modules or chips, as the core component of In-vehicle Infotainment systems, provide position, speed, and time information. GNSS position and speed measurements are integral, especially with respect to moving map navigation.

GNSS are used in all forms of transportation: space stations, aviation, maritime, rail, road and mass transit. Positioning, navigation and timing (PNT) play a critical role in telecommunications, land surveying, law enforcement, emergency response, precision agriculture, mining, finance, scientific research…etc.

Vulnerability details: In gnss service, there is a possible escalation of privilege due to improper certificate validation. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08720039; Issue ID: MSV-1424.

Official announcement: For detail, please refer to link –

https://corp.mediatek.com/product-security-bulletin/July-2024

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.