CVSS: 4.4EPSS: 0%CPEs: 2EXPL: 0CVE-2022-25332 – SK_LOAD timing side channel during AES module decryption in Texas Instruments OMAP L138
https://notcve.org/view.php?id=CVE-2022-25332
The AES implementation in the Texas Instruments OMAP L138 (secure variants), present in mask ROM, suffers from a timing side channel which can be exploited by an adversary with non-secure supervisor privileges by managing cache contents and collecting timing information for different ciphertext inputs. Using this side channel, the SK_LOAD secure kernel routine can be used to recover the Customer Encryption Key (CEK). La implementación de AES en Texas Instruments OMAP L138 (variantes seguras), presente en la máscara ROM, sufre de un canal lateral de temporización que puede ser explotado por un adversario con privilegios de supervisor no seguros al administrar el contenido de la caché y recopilar información de temporización para diferentes entradas de texto cifrado. Usando este canal lateral, la rutina de kernel segura SK_LOAD se puede usar para recuperar el Customer Encryption Key (CEK). • https://tetraburst.com • CWE-203: Observable Discrepancy CWE-208: Observable Timing Discrepancy •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-25334 – Stack overflow on SK_LOAD signature length field in Texas Instruments OMAP L138
https://notcve.org/view.php?id=CVE-2022-25334
The Texas Instruments OMAP L138 (secure variants) trusted execution environment (TEE) lacks a bounds check on the signature size field in the SK_LOAD module loading routine, present in mask ROM. A module with a sufficiently large signature field causes a stack overflow, affecting secure kernel data pages. This can be leveraged to obtain arbitrary code execution in secure supervisor context by overwriting a SHA256 function pointer in the secure kernel data area when loading a forged, unsigned SK_LOAD module encrypted with the CEK (obtainable through CVE-2022-25332). This constitutes a full break of the TEE security architecture. Texas Instruments OMAP L138 (variantes seguras) Trusted Execution Environment (TEE) carece de una verificación de límites en el campo de tamaño de firma en la rutina de carga del módulo SK_LOAD, presente en la máscara ROM. • https://tetraburst.com • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-25333 – Flawed SK_LOAD module authenticity check in Texas Instruments OMAP L138
https://notcve.org/view.php?id=CVE-2022-25333
The Texas Instruments OMAP L138 (secure variants) trusted execution environment (TEE) performs an RSA check implemented in mask ROM when loading a module through the SK_LOAD routine. However, only the module header authenticity is validated. An adversary can re-use any correctly signed header and append a forged payload, to be encrypted using the CEK (obtainable through CVE-2022-25332) in order to obtain arbitrary code execution in secure context. This constitutes a full break of the TEE security architecture. Texas Instruments OMAP L138 (variantes seguras) Trusted Execution Environment (TEE) realiza una verificación RSA implementada en la máscara ROM al cargar un módulo a través de la rutina SK_LOAD. • https://tetraburst.com • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-29468
https://notcve.org/view.php?id=CVE-2023-29468
The Texas Instruments (TI) WiLink WL18xx MCP driver does not limit the number of information elements (IEs) of type XCC_EXT_1_IE_ID or XCC_EXT_2_IE_ID that can be parsed in a management frame. Using a specially crafted frame, a buffer overflow can be triggered that can potentially lead to remote code execution. This affects WILINK8-WIFI-MCP8 version 8.5_SP3 and earlier. • https://www.ti.com/lit/swra773 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 5.3EPSS: 0%CPEs: 15EXPL: 1CVE-2021-21966
https://notcve.org/view.php?id=CVE-2021-21966
An information disclosure vulnerability exists in the HTTP Server /ping.html functionality of Texas Instruments CC3200 SimpleLink Solution NWP 2.9.0.0. A specially-crafted HTTP request can lead to an uninitialized read. An attacker can send an HTTP request to trigger this vulnerability. Se presenta una vulnerabilidad de divulgación de información en la funcionalidad HTTP Server /ping.html de Texas Instruments CC3200 SimpleLink Solution NWP versión 2.9.0.0. Una petición HTTP especialmente diseñada puede conllevar a una lectura no inicializada. • https://talosintelligence.com/vulnerability_reports/TALOS-2021-1393 https://www.ti.com/lit/an/swra740/swra740.pdf?ts=1645536893264& • CWE-457: Use of Uninitialized Variable CWE-908: Use of Uninitialized Resource •