CVE-2022-25334 - OpenCVE

The Texas Instruments OMAP L138 (secure variants) trusted execution environment (TEE) lacks a bounds check on the signature size field in the SK_LOAD module loading routine, present in mask ROM. A module with a sufficiently large signature field causes a stack overflow, affecting secure kernel data pages. This can be leveraged to obtain arbitrary code execution in secure supervisor context by overwriting a SHA256 function pointer in the secure kernel data area when loading a forged, unsigned SK_LOAD module encrypted with the CEK (obtainable through CVE-2022-25332). This constitutes a full break of the TEE security architecture.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ti	Omap L138 Omap L138 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:ti:omap_l138_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:ti:omap_l138:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://tetraburst.com/

History

No history.

MITRE

Status: PUBLISHED

Assigner: NCSC-NL

Published: 2023-10-19T09:36:09.230Z

Updated: 2024-08-03T04:36:06.873Z

Reserved: 2022-02-18T17:18:33.457Z

Link: CVE-2022-25334

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-10-19T10:15:09.803

Modified: 2023-11-07T03:44:46.240

Link: CVE-2022-25334

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-25334", "assignerOrgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39", "state": "PUBLISHED", "assignerShortName": "NCSC-NL", "dateReserved": "2022-02-18T17:18:33.457Z", "datePublished": "2023-10-19T09:36:09.230Z", "dateUpdated": "2024-08-03T04:36:06.873Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "vendor": "Texas Instruments", "product": "OMAP", "versions": [{"version": "L138", "status": "affected"}]}], "title": "Stack overflow on SK_LOAD signature length field in Texas Instruments OMAP L138", "descriptions": [{"lang": "en", "value": "The Texas Instruments OMAP L138 (secure variants) trusted execution environment (TEE) lacks a bounds check on the signature size field in the SK_LOAD module loading routine, present in mask ROM. A module with a sufficiently large signature field causes a stack overflow, affecting secure kernel data pages. This can be leveraged to obtain arbitrary code execution in secure supervisor context by overwriting a SHA256 function pointer in the secure kernel data area when loading a forged, unsigned SK_LOAD module encrypted with the CEK (obtainable through CVE-2022-25332). This constitutes a full break of the TEE security architecture."}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-121", "description": "Stack-based Buffer Overflow", "type": "CWE"}]}], "providerMetadata": {"orgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39", "shortName": "NCSC-NL", "dateUpdated": "2024-07-15T00:27:54.327174Z"}, "references": [{"name": "TETRA:BURST", "tags": ["related"], "url": "https://tetraburst.com/"}], "credits": [{"lang": "en", "value": "Midnight Blue", "type": "finder"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:F/RL:U/RC:C/CR:H/IR:H/AR:H/MAV:L/MAC:L/MPR:H/MUI:N/MS:C/MC:H/MI:H/MA:H"}}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:36:06.873Z"}, "title": "CVE Program Container", "references": [{"name": "TETRA:BURST", "tags": ["related", "x_transferred"], "url": "https://tetraburst.com/"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ti:omap_l138_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "E099834F-A5EF-4E60-A351-43FEF06E3C07", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ti:omap_l138:-:*:*:*:*:*:*:*", "matchCriteriaId": "3D453CDD-014F-47EC-B6FD-9CE790450230", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Texas Instruments OMAP L138 (secure variants) trusted execution environment (TEE) lacks a bounds check on the signature size field in the SK_LOAD module loading routine, present in mask ROM. A module with a sufficiently large signature field causes a stack overflow, affecting secure kernel data pages. This can be leveraged to obtain arbitrary code execution in secure supervisor context by overwriting a SHA256 function pointer in the secure kernel data area when loading a forged, unsigned SK_LOAD module encrypted with the CEK (obtainable through CVE-2022-25332). This constitutes a full break of the TEE security architecture."}, {"lang": "es", "value": "Texas Instruments OMAP L138 (variantes seguras) Trusted Execution Environment (TEE) carece de una verificaci\u00f3n de l\u00edmites en el campo de tama\u00f1o de firma en la rutina de carga del m\u00f3dulo SK_LOAD, presente en la m\u00e1scara ROM. Un m\u00f3dulo con un campo de firma suficientemente grande provoca un desbordamiento de la pila, lo que afecta las p\u00e1ginas seguras de datos del kernel. Esto se puede aprovechar para obtener la ejecuci\u00f3n de c\u00f3digo arbitrario en un contexto de supervisor seguro sobrescribiendo un puntero de funci\u00f3n SHA256 en el \u00e1rea segura de datos del kernel al cargar un m\u00f3dulo SK_LOAD falsificado y sin firmar cifrado con CEK (obtenible a trav\u00e9s de CVE-2022-25332). Esto constituye una ruptura total de la arquitectura de seguridad de TEE."}], "id": "CVE-2022-25334", "lastModified": "2023-11-07T03:44:46.240", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.0, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.5, "impactScore": 6.0, "source": "cert@ncsc.nl", "type": "Secondary"}]}, "published": "2023-10-19T10:15:09.803", "references": [{"source": "cert@ncsc.nl", "tags": ["Not Applicable"], "url": "https://tetraburst.com/"}], "sourceIdentifier": "cert@ncsc.nl", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-121"}], "source": "cert@ncsc.nl", "type": "Secondary"}]}