CVE-2022-25334

The Texas Instruments OMAP L138 (secure variants) trusted execution environment (TEE) lacks a bounds check on the signature size field in the SK_LOAD module loading routine, present in mask ROM. A module with a sufficiently large signature field causes a stack overflow, affecting secure kernel data pages. This can be leveraged to obtain arbitrary code execution in secure supervisor context by overwriting a SHA256 function pointer in the secure kernel data area when loading a forged, unsigned SK_LOAD module encrypted with the CEK (obtainable through CVE-2022-25332). This constitutes a full break of the TEE security architecture.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.0 / Impact : 6.0

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://tetraburst.com/	Not Applicable

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:ti:omap_l138_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:ti:omap_l138:-:*:*:*:*:*:*:*

History

31 Oct 2023, 18:53

Type	Values Removed	Values Added
CPE		cpe:2.3:h:ti:omap_l138:-:::::::* cpe:2.3:o:ti:omap_l138_firmware:-:::::::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.8
First Time		Ti omap L138 Ti omap L138 Firmware Ti
References	~~(MISC) https://tetraburst.com/ -~~	(MISC) https://tetraburst.com/ - Not Applicable
CWE		CWE-787

19 Oct 2023, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-10-19 10:15

Updated : 2023-12-10 15:14

NVD link : CVE-2022-25334

Mitre link : CVE-2022-25334

CVE.ORG link : CVE-2022-25334

JSON object : View

Products Affected

ti

omap_l138
omap_l138_firmware

CWE

CWE-787

Out-of-bounds Write

CWE-121

Stack-based Buffer Overflow

{"id": "CVE-2022-25334", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.0}, {"type": "Secondary", "source": "cert@ncsc.nl", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.5}]}, "published": "2023-10-19T10:15:09.803", "references": [{"url": "https://tetraburst.com/", "tags": ["Not Applicable"], "source": "cert@ncsc.nl"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-787"}]}, {"type": "Secondary", "source": "cert@ncsc.nl", "description": [{"lang": "en", "value": "CWE-121"}]}], "descriptions": [{"lang": "en", "value": "The Texas Instruments OMAP L138 (secure variants) trusted execution environment (TEE) lacks a bounds check on the signature size field in the SK_LOAD module loading routine, present in mask ROM. A module with a sufficiently large signature field causes a stack overflow, affecting secure kernel data pages. This can be leveraged to obtain arbitrary code execution in secure supervisor context by overwriting a SHA256 function pointer in the secure kernel data area when loading a forged, unsigned SK_LOAD module encrypted with the CEK (obtainable through CVE-2022-25332). This constitutes a full break of the TEE security architecture."}, {"lang": "es", "value": "Texas Instruments OMAP L138 (variantes seguras) Trusted Execution Environment (TEE) carece de una verificaci\u00f3n de l\u00edmites en el campo de tama\u00f1o de firma en la rutina de carga del m\u00f3dulo SK_LOAD, presente en la m\u00e1scara ROM. Un m\u00f3dulo con un campo de firma suficientemente grande provoca un desbordamiento de la pila, lo que afecta las p\u00e1ginas seguras de datos del kernel. Esto se puede aprovechar para obtener la ejecuci\u00f3n de c\u00f3digo arbitrario en un contexto de supervisor seguro sobrescribiendo un puntero de funci\u00f3n SHA256 en el \u00e1rea segura de datos del kernel al cargar un m\u00f3dulo SK_LOAD falsificado y sin firmar cifrado con CEK (obtenible a trav\u00e9s de CVE-2022-25332). Esto constituye una ruptura total de la arquitectura de seguridad de TEE."}], "lastModified": "2023-11-07T03:44:46.240", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:ti:omap_l138_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E099834F-A5EF-4E60-A351-43FEF06E3C07"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:ti:omap_l138:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "3D453CDD-014F-47EC-B6FD-9CE790450230"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cert@ncsc.nl"}