// For flags

CVE-2022-46152

OP-TEE Trusted OS vulnerable to Improper Validation of Array Index in the cleanup_shm_refs function

Severity Score

8.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

OP-TEE Trusted OS is the secure side implementation of OP-TEE project, a Trusted Execution Environment. Versions prior to 3.19.0, contain an Improper Validation of Array Index vulnerability. The function `cleanup_shm_refs()` is called by both `entry_invoke_command()` and `entry_open_session()`. The commands `OPTEE_MSG_CMD_OPEN_SESSION` and `OPTEE_MSG_CMD_INVOKE_COMMAND` can be executed from the normal world via an OP-TEE SMC. This function is not validating the `num_params` argument, which is only limited to `OPTEE_MSG_MAX_NUM_PARAMS` (127) in the function `get_cmd_buffer()`. Therefore, an attacker in the normal world can craft an SMC call that will cause out-of-bounds reading in `cleanup_shm_refs` and potentially freeing of fake-objects in the function `mobj_put()`. A normal-world attacker with permission to execute SMC instructions may exploit this flaw. Maintainers believe this problem permits local privilege escalation from the normal world to the secure world. Version 3.19.0 contains a fix for this issue. There are no known workarounds.

OP-TEE Trusted OS es la implementación segura del proyecto OP-TEE, un entorno de ejecución confiable. Las versiones anteriores a la 3.19.0 contienen una vulnerabilidad de validación incorrecta del índice de matriz. La función `cleanup_shm_refs()` es llamada tanto por `entry_invoke_command()` como por `entry_open_session()`. Los comandos `OPTEE_MSG_CMD_OPEN_SESSION` y `OPTEE_MSG_CMD_INVOKE_COMMAND` se pueden ejecutar desde el mundo normal a través de un OP-TEE SMC. Esta función no valida el argumento `num_params`, que solo se limita a `OPTEE_MSG_MAX_NUM_PARAMS` (127) en la función `get_cmd_buffer()`. Por lo tanto, un atacante en el mundo normal puede crear una llamada SMC que provocará una lectura fuera de los límites en `cleanup_shm_refs` y potencialmente la liberación de objetos falsos en la función `mobj_put()`. Un atacante normal con permiso para ejecutar instrucciones SMC puede aprovechar esta falla. Quienes lo mantienen creen que este problema permite una escalada de privilegios locales desde el mundo normal al mundo seguro. La versión 3.19.0 contiene una solución para este problema. No se conocen workarounds.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-11-28 CVE Reserved
  • 2022-11-29 CVE Published
  • 2023-03-08 EPSS Updated
  • 2024-08-03 CVE Updated
  • 2024-08-03 First Exploit
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-129: Improper Validation of Array Index
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Op-tee
Search vendor "Op-tee"
 Op-tee Os
Search vendor "Op-tee" for product "Op-tee Os"
 < 3.19.0
Search vendor "Op-tee" for product "Op-tee Os" and version " < 3.19.0"
-
Affected