{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2022-25334", "assignerOrgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39", "state": "PUBLISHED", "assignerShortName": "NCSC-NL", "dateReserved": "2022-02-18T17:18:33.457Z", "datePublished": "2023-10-19T09:36:09.230Z", "dateUpdated": "2023-10-19T09:50:22.135Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "vendor": "Texas Instruments", "product": "OMAP", "versions": [{"version": "L138", "status": "affected"}]}], "title": "Stack overflow on SK_LOAD signature length field in Texas Instruments OMAP L138", "descriptions": [{"lang": "en", "value": "The Texas Instruments OMAP L138 (secure variants) trusted execution environment (TEE) lacks a bounds check on the signature size field in the SK_LOAD module loading routine, present in mask ROM. A module with a sufficiently large signature field causes a stack overflow, affecting secure kernel data pages. This can be leveraged to obtain arbitrary code execution in secure supervisor context by overwriting a SHA256 function pointer in the secure kernel data area when loading a forged, unsigned SK_LOAD module encrypted with the CEK (obtainable through CVE-2022-25332). This constitutes a full break of the TEE security architecture."}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-121", "description": "Stack-based Buffer Overflow", "type": "CWE"}]}], "providerMetadata": {"orgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39", "shortName": "NCSC-NL", "dateUpdated": "2023-10-19T09:50:22.135Z"}, "references": [{"name": "TETRA:BURST", "tags": ["related"], "url": "https://tetraburst.com/"}], "credits": [{"lang": "en", "value": "Midnight Blue", "type": "finder"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:F/RL:U/RC:C/CR:H/IR:H/AR:H/MAV:L/MAC:L/MPR:H/MUI:N/MS:C/MC:H/MI:H/MA:H"}}]}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ti:omap_l138_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "E099834F-A5EF-4E60-A351-43FEF06E3C07", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ti:omap_l138:-:*:*:*:*:*:*:*", "matchCriteriaId": "3D453CDD-014F-47EC-B6FD-9CE790450230", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "The Texas Instruments OMAP L138 (secure variants) trusted execution environment (TEE) lacks a bounds check on the signature size field in the SK_LOAD module loading routine, present in mask ROM. A module with a sufficiently large signature field causes a stack overflow, affecting secure kernel data pages. This can be leveraged to obtain arbitrary code execution in secure supervisor context by overwriting a SHA256 function pointer in the secure kernel data area when loading a forged, unsigned SK_LOAD module encrypted with the CEK (obtainable through CVE-2022-25332). This constitutes a full break of the TEE security architecture."}, {"lang": "es", "value": "Texas Instruments OMAP L138 (variantes seguras) Trusted Execution Environment (TEE) carece de una verificaci\u00f3n de l\u00edmites en el campo de tama\u00f1o de firma en la rutina de carga del m\u00f3dulo SK_LOAD, presente en la m\u00e1scara ROM. Un m\u00f3dulo con un campo de firma suficientemente grande provoca un desbordamiento de la pila, lo que afecta las p\u00e1ginas seguras de datos del kernel. Esto se puede aprovechar para obtener la ejecuci\u00f3n de c\u00f3digo arbitrario en un contexto de supervisor seguro sobrescribiendo un puntero de funci\u00f3n SHA256 en el \u00e1rea segura de datos del kernel al cargar un m\u00f3dulo SK_LOAD falsificado y sin firmar cifrado con CEK (obtenible a trav\u00e9s de CVE-2022-25332). Esto constituye una ruptura total de la arquitectura de seguridad de TEE."}], "id": "CVE-2022-25334", "lastModified": "2023-11-07T03:44:46.240", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.0, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.5, "impactScore": 6.0, "source": "cert@ncsc.nl", "type": "Secondary"}]}, "published": "2023-10-19T10:15:09.803", "references": [{"source": "cert@ncsc.nl", "tags": ["Not Applicable"], "url": "https://tetraburst.com/"}], "sourceIdentifier": "cert@ncsc.nl", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-121"}], "source": "cert@ncsc.nl", "type": "Secondary"}]}

{}