Lucene search

SynapticsCVELIST:CVE-2023-6482

HistoryJan 27, 2024 - 12:19 a.m.

CVE-2023-6482 Encryption key derived from static host information

2024-01-2700:19:15

CWE-321

Synaptics

www.cve.org

synaptics fingerprint driver

encryption key

tls session

fingerprint sensor

physical access

5.2 Medium

CVSS3

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

5.4 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.6%

JSON

Use of encryption key derived from static information in Synaptics Fingerprint Driver allows

an attacker to set up a TLS session with the fingerprint sensor and send restricted commands to the fingerprint sensor. This may
allow an attacker, who has physical access to the sensor, to enroll a fingerprint into the
template database.

CNA Affected

[
  {
    "defaultStatus": "unknown",
    "product": "Synaptics Fingerprint Driver",
    "vendor": "Synaptics",
    "versions": [
      {
        "lessThan": "6.0.17.1103",
        "status": "affected",
        "version": "6.0.0.1103",
        "versionType": "custom"
      }
    ]
  }
]

References

www.synaptics.com/sites/default/files/2024-01/fingerprint-driver-encryption-key-security-brief-2024-01-26.pdf

5.2 Medium

CVSS3

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

5.4 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.6%

JSON

Related for CVELIST:CVE-2023-6482