3 results (0.002 seconds)

CVSS: 4.4EPSS: 0%CPEs: 2EXPL: 0

The AES implementation in the Texas Instruments OMAP L138 (secure variants), present in mask ROM, suffers from a timing side channel which can be exploited by an adversary with non-secure supervisor privileges by managing cache contents and collecting timing information for different ciphertext inputs. Using this side channel, the SK_LOAD secure kernel routine can be used to recover the Customer Encryption Key (CEK). La implementación de AES en Texas Instruments OMAP L138 (variantes seguras), presente en la máscara ROM, sufre de un canal lateral de temporización que puede ser explotado por un adversario con privilegios de supervisor no seguros al administrar el contenido de la caché y recopilar información de temporización para diferentes entradas de texto cifrado. Usando este canal lateral, la rutina de kernel segura SK_LOAD se puede usar para recuperar el Customer Encryption Key (CEK). • https://tetraburst.com • CWE-203: Observable Discrepancy CWE-208: Observable Timing Discrepancy •

CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0

The Texas Instruments OMAP L138 (secure variants) trusted execution environment (TEE) lacks a bounds check on the signature size field in the SK_LOAD module loading routine, present in mask ROM. A module with a sufficiently large signature field causes a stack overflow, affecting secure kernel data pages. This can be leveraged to obtain arbitrary code execution in secure supervisor context by overwriting a SHA256 function pointer in the secure kernel data area when loading a forged, unsigned SK_LOAD module encrypted with the CEK (obtainable through CVE-2022-25332). This constitutes a full break of the TEE security architecture. Texas Instruments OMAP L138 (variantes seguras) Trusted Execution Environment (TEE) carece de una verificación de límites en el campo de tamaño de firma en la rutina de carga del módulo SK_LOAD, presente en la máscara ROM. • https://tetraburst.com • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •

CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0

The Texas Instruments OMAP L138 (secure variants) trusted execution environment (TEE) performs an RSA check implemented in mask ROM when loading a module through the SK_LOAD routine. However, only the module header authenticity is validated. An adversary can re-use any correctly signed header and append a forged payload, to be encrypted using the CEK (obtainable through CVE-2022-25332) in order to obtain arbitrary code execution in secure context. This constitutes a full break of the TEE security architecture. Texas Instruments OMAP L138 (variantes seguras) Trusted Execution Environment (TEE) realiza una verificación RSA implementada en la máscara ROM al cargar un módulo a través de la rutina SK_LOAD. • https://tetraburst.com • CWE-347: Improper Verification of Cryptographic Signature •