// For flags

CVE-2022-25333

Flawed SK_LOAD module authenticity check in Texas Instruments OMAP L138

Severity Score

8.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The Texas Instruments OMAP L138 (secure variants) trusted execution environment (TEE) performs an RSA check implemented in mask ROM when loading a module through the SK_LOAD routine. However, only the module header authenticity is validated. An adversary can re-use any correctly signed header and append a forged payload, to be encrypted using the CEK (obtainable through CVE-2022-25332) in order to obtain arbitrary code execution in secure context. This constitutes a full break of the TEE security architecture.

Texas Instruments OMAP L138 (variantes seguras) Trusted Execution Environment (TEE) realiza una verificación RSA implementada en la máscara ROM al cargar un módulo a través de la rutina SK_LOAD. Sin embargo, sólo se valida la autenticidad del encabezado del módulo. Un adversario puede reutilizar cualquier encabezado firmado correctamente y agregar un payload falsificado, que se cifrará mediante CEK (que se puede obtener a través de CVE-2022-25332) para obtener la ejecución de código arbitrario en un contexto seguro. Esto constituye una ruptura total de la arquitectura de seguridad de TEE.

*Credits: Midnight Blue
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-02-18 CVE Reserved
  • 2023-10-19 CVE Published
  • 2023-10-20 EPSS Updated
  • 2024-08-03 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-347: Improper Verification of Cryptographic Signature
CAPEC
References (1)
URL Tag Source
https://tetraburst.com Not Applicable
URL Date SRC
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Ti
Search vendor "Ti"
 Omap L138 Firmware
Search vendor "Ti" for product "Omap L138 Firmware"
--
Affected
in Ti
Search vendor "Ti"
 Omap L138
Search vendor "Ti" for product "Omap L138"
--
Safe