CVE-2023-6482 – Encryption key derived from static host information
https://notcve.org/view.php?id=CVE-2023-6482
Use of encryption key derived from static information in Synaptics Fingerprint Driver allows an attacker to set up a TLS session with the fingerprint sensor and send restricted commands to the fingerprint sensor. This may allow an attacker, who has physical access to the sensor, to enroll a fingerprint into the template database. El uso de una clave de cifrado derivada de información estática en Synaptics Fingerprint Driver permite a un atacante configurar una sesión TLS con el sensor de huellas digitales y enviar comandos restringidos al sensor de huellas digitales. Esto puede permitir que un atacante, que tiene acceso físico al sensor, registre una huella digital en la base de datos de la plantilla. • https://www.synaptics.com/sites/default/files/2024-01/fingerprint-driver-encryption-key-security-brief-2024-01-26.pdf • CWE-321: Use of Hard-coded Cryptographic Key CWE-798: Use of Hard-coded Credentials •
CVE-2021-3675 – synaTEE.signed.dll Out-Of-Bounds Heap Write
https://notcve.org/view.php?id=CVE-2021-3675
Improper Input Validation vulnerability in synaTEE.signed.dll of Synaptics Fingerprint Driver allows a local authorized attacker to overwrite a heap tag, with potential loss of confidentiality. This issue affects: Synaptics Synaptics Fingerprint Driver 5.1.xxx.26 versions prior to xxx=340 on x86/64; 5.2.xxxx.26 versions prior to xxxx=3541 on x86/64; 5.2.2xx.26 versions prior to xx=29 on x86/64; 5.2.3xx.26 versions prior to xx=25 on x86/64; 5.3.xxxx.26 versions prior to xxxx=3543 on x86/64; 5.5.xx.1058 versions prior to xx=44 on x86/64; 5.5.xx.1102 versions prior to xx=34 on x86/64; 5.5.xx.1116 versions prior to xx=14 on x86/64; 6.0.xx.1104 versions prior to xx=50 on x86/64; 6.0.xx.1108 versions prior to xx=31 on x86/64; 6.0.xx.1111 versions prior to xx=58 on x86/64. Una vulnerabilidad de comprobación de entrada inapropiada en el archivo synaTEE.signed.dll de Synaptics Fingerprint Driver, permite a un atacante local autorizado sobrescribir una etiqueta de la pila, con posible pérdida de confidencialidad. Este problema afecta a: Synaptics Fingerprint Driver versiones: 5.1.xxx.26 versiones anteriores a xxx=340 en x86/64; 5.2.xxxx.26 versiones anteriores a xxxx=3541 en x86/64; 5.2.2xx.26 versiones anteriores a xx=29 en x86/64; 5.2.3xx.26 versiones anteriores a xx=25 en x86/64; 5.3.xxxx.26 versiones anteriores a xxxx=3543 en x86/64; 5.5.xx.1058 versiones anteriores a xx=44 en x86/64; 5.5.xx.1102 versiones anteriores a xx=34 en x86/64; 5.5.xx.1116 versiones anteriores a xx=14 en x86/64; 6.0.xx.1104 versiones anteriores a xx=50 en x86/64; 6.0.xx.1108 versiones anteriores a xx=31 en x86/64; 6.0.xx.1111 versiones anteriores a xx=58 en x86/64 • https://support.hp.com/us-en/document/ish_6411153-6411191-16/hpsbhf03797 https://support.lenovo.com/us/en/product_security/LEN-68054 https://synaptics.com/sites/default/files/2022-06/fingerprint-driver-SGX-security-brief-2022-06-14.pdf • CWE-20: Improper Input Validation CWE-787: Out-of-bounds Write •