CVE-2019-14236 - OpenCVE

On STMicroelectronics STM32L0, STM32L1, STM32L4, STM32F4, STM32F7, and STM32H7 devices, Proprietary Code Read Out Protection (PCROP) (a software IP protection method) can be defeated by observing CPU registers and the effect of code/instruction execution.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
St	Stm32f4 Stm32f4 Firmware Stm32f7 Stm32f7 Firmware Stm32h7 Stm32h7 Firmware Stm32l0 Stm32l0 Firmware Stm32l1 Stm32l1 Firmware Stm32l4 Stm32l4 Firmware

Configuration 1 [-]

AND

cpe:2.3:h:st:stm32l0:-:*:*:*:*:*:*:*

cpe:2.3:o:st:stm32l0_firmware:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:h:st:stm32l1:-:*:*:*:*:*:*:*

cpe:2.3:o:st:stm32l1_firmware:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:h:st:stm32f4:-:*:*:*:*:*:*:*

cpe:2.3:o:st:stm32f4_firmware:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:h:st:stm32l4:-:*:*:*:*:*:*:*

cpe:2.3:o:st:stm32l4_firmware:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND

cpe:2.3:h:st:stm32f7:-:*:*:*:*:*:*:*

cpe:2.3:o:st:stm32f7_firmware:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND

cpe:2.3:h:st:stm32h7:-:*:*:*:*:*:*:*

cpe:2.3:o:st:stm32h7_firmware:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.usenix.org/system/files/woot19-paper_schink.pdf

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-09-12T17:43:11

Updated: 2024-08-05T00:12:43.438Z

Reserved: 2019-07-22T00:00:00

Link: CVE-2019-14236

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-09-12T18:15:11.927

Modified: 2019-09-16T18:19:12.497

Link: CVE-2019-14236

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "On STMicroelectronics STM32L0, STM32L1, STM32L4, STM32F4, STM32F7, and STM32H7 devices, Proprietary Code Read Out Protection (PCROP) (a software IP protection method) can be defeated by observing CPU registers and the effect of code/instruction execution."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-09-12T17:43:11", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.usenix.org/system/files/woot19-paper_schink.pdf"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-14236", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "On STMicroelectronics STM32L0, STM32L1, STM32L4, STM32F4, STM32F7, and STM32H7 devices, Proprietary Code Read Out Protection (PCROP) (a software IP protection method) can be defeated by observing CPU registers and the effect of code/instruction execution."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.usenix.org/system/files/woot19-paper_schink.pdf", "refsource": "MISC", "url": "https://www.usenix.org/system/files/woot19-paper_schink.pdf"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T00:12:43.438Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.usenix.org/system/files/woot19-paper_schink.pdf"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-14236", "datePublished": "2019-09-12T17:43:11", "dateReserved": "2019-07-22T00:00:00", "dateUpdated": "2024-08-05T00:12:43.438Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:st:stm32l0:-:*:*:*:*:*:*:*", "matchCriteriaId": "DB597A37-93DE-445A-BD00-9F5593BEC0FD", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:st:stm32l0_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "9E8173AA-028B-44C2-81C0-B216289CFFC1", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:st:stm32l1:-:*:*:*:*:*:*:*", "matchCriteriaId": "BEDC40CE-9909-4F22-A8BD-1074C89440DA", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:st:stm32l1_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "A6CBFC4A-597C-4CFB-B84C-058E3B1E6D2D", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:st:stm32f4:-:*:*:*:*:*:*:*", "matchCriteriaId": "440D2164-B326-4399-94C2-67705F0046AB", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:st:stm32f4_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "C862BA8C-8B56-4326-B912-2FDF80549651", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:st:stm32l4:-:*:*:*:*:*:*:*", "matchCriteriaId": "E10B907C-88E9-402C-96F5-8D30F06CB26C", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:st:stm32l4_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "1D00F3B0-486C-4B40-9E10-DCFBFBC5AA98", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:st:stm32f7:-:*:*:*:*:*:*:*", "matchCriteriaId": "8059CBFB-6323-4CC2-979C-1A01433C01A9", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:st:stm32f7_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "5EF9C325-7B9D-45F5-9CD0-684B87A82D60", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:st:stm32h7:-:*:*:*:*:*:*:*", "matchCriteriaId": "CE2F16E8-9CEC-4F15-B6E6-F5006DE30B5F", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:st:stm32h7_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "0C0FCD79-5A82-40AF-B221-2EF6601D92F2", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "On STMicroelectronics STM32L0, STM32L1, STM32L4, STM32F4, STM32F7, and STM32H7 devices, Proprietary Code Read Out Protection (PCROP) (a software IP protection method) can be defeated by observing CPU registers and the effect of code/instruction execution."}, {"lang": "es", "value": "En los dispositivos STMicroelectronics STM32L0, STM32L1, STM32L4, STM32F4, STM32F7 y STM32H7, Proprietary Code Read Out Protection (PCROP) (un m\u00e9todo de protecci\u00f3n IP de software) puede ser superado observando los registros de la CPU y el efecto de la ejecuci\u00f3n de c\u00f3digo e instrucci\u00f3n."}], "id": "CVE-2019-14236", "lastModified": "2019-09-16T18:19:12.497", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-09-12T18:15:11.927", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "url": "https://www.usenix.org/system/files/woot19-paper_schink.pdf"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}]}