// For flags

CVE-2022-25334

Stack overflow on SK_LOAD signature length field in Texas Instruments OMAP L138

Severity Score

8.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The Texas Instruments OMAP L138 (secure variants) trusted execution environment (TEE) lacks a bounds check on the signature size field in the SK_LOAD module loading routine, present in mask ROM. A module with a sufficiently large signature field causes a stack overflow, affecting secure kernel data pages. This can be leveraged to obtain arbitrary code execution in secure supervisor context by overwriting a SHA256 function pointer in the secure kernel data area when loading a forged, unsigned SK_LOAD module encrypted with the CEK (obtainable through CVE-2022-25332). This constitutes a full break of the TEE security architecture.

Texas Instruments OMAP L138 (variantes seguras) Trusted Execution Environment (TEE) carece de una verificación de límites en el campo de tamaño de firma en la rutina de carga del módulo SK_LOAD, presente en la máscara ROM. Un módulo con un campo de firma suficientemente grande provoca un desbordamiento de la pila, lo que afecta las páginas seguras de datos del kernel. Esto se puede aprovechar para obtener la ejecución de código arbitrario en un contexto de supervisor seguro sobrescribiendo un puntero de función SHA256 en el área segura de datos del kernel al cargar un módulo SK_LOAD falsificado y sin firmar cifrado con CEK (obtenible a través de CVE-2022-25332). Esto constituye una ruptura total de la arquitectura de seguridad de TEE.

*Credits: Midnight Blue
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-02-18 CVE Reserved
  • 2023-10-19 CVE Published
  • 2024-07-22 EPSS Updated
  • 2024-08-03 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-121: Stack-based Buffer Overflow
  • CWE-787: Out-of-bounds Write
CAPEC
References (1)
URL Tag Source
https://tetraburst.com Not Applicable
URL Date SRC
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Ti
Search vendor "Ti"
 Omap L138 Firmware
Search vendor "Ti" for product "Omap L138 Firmware"
--
Affected
in Ti
Search vendor "Ti"
 Omap L138
Search vendor "Ti" for product "Omap L138"
--
Safe