Op Tee
CVE-2023-41325
HIGH
Severity by source
AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionGitHub Advisory
OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 3.20 and prior to version 3.22, shdr_verify_signature can make a double free. shdr_verify_signature used to verify a TA binary before it is loaded. To verify a signature of it, allocate a memory for RSA key. RSA key allocate function (sw_crypto_acipher_alloc_rsa_public_key) will try to allocate a memory (which is optee’s heap memory). RSA key is consist of exponent and modulus (represent as variable e, n) and it allocation is not atomic way, so it may succeed in e but fail in n. In this case sw_crypto_acipher_alloc_rsa_public_key will free on e and return as it is failed but variable ‘e’ is remained as already freed memory address . shdr_verify_signature will free again that memory (which is e`) even it is freed when it failed allocate RSA key. A patch is available in version 3.22. No known workarounds are available.
AnalysisAI
OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Rated high severity (CVSS 7.4), this vulnerability is low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified under CWE-415. OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 3.20 and prior to version 3.22, shdr_verify_signature can make a double free. shdr_verify_signature used to verify a TA binary before it is loaded. To verify a signature of it, allocate a memory for RSA key. RSA key allocate function (sw_crypto_acipher_alloc_rsa_public_key) will try to allocate a memory (which is optee’s heap memory). RSA key is consist of exponent and modulus (represent as variable e, n) and it allocation is not atomic way, so it may succeed in e but fail in n. In this case sw_crypto_acipher_alloc_rsa_public_key will free on e and return as it is failed but variable ‘e’ is remained as already freed memory address . shdr_verify_signature will free again that memory (which is e`) even it is freed when it failed allocate RSA key. A patch is available in version 3.22. No known workarounds are available. Affected products include: Trustedfirmware Op-Tee. Version information: version 3.20.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
OP-TEE Trusted OS is the secure side implementation of OP-TEE project, a Trusted Execution Environment. Rated high sever
Linaro/OP-TEE OP-TEE 3.3.0 and earlier is affected by: Buffer Overflow. Rated critical severity (CVSS 9.8), this vulnera
An unprotected memory-access operation in optee_os in TrustedFirmware Open Portable Trusted Execution Environment (OP-TE
Linaro/OP-TEE OP-TEE 3.3.0 and earlier is affected by: Buffer Overflow. Rated critical severity (CVSS 9.8), this vulnera
Linaro/OP-TEE OP-TEE 3.3.0 and earlier is affected by: Buffer Overflow. Rated critical severity (CVSS 9.8), this vulnera
Linaro/OP-TEE OP-TEE 3.3.0 and earlier is affected by: Buffer Overflow. Rated critical severity (CVSS 9.8), this vulnera
Linaro/OP-TEE OP-TEE Prior to version v3.4.0 is affected by: Boundary checks. Rated critical severity (CVSS 9.8), this v
Linaro/OP-TEE OP-TEE 3.3.0 and earlier is affected by: Boundary crossing. Rated critical severity (CVSS 9.8), this vulne
In Linaro OP-TEE before 3.7.0, by using inconsistent or malformed data, it is possible to call update and final cryptogr
LibTomCrypt through 1.18.1 allows a memory-cache side-channel attack on ECDSA signatures, aka the Return Of the Hidden N
An issue was discovered in Trusted Firmware OP-TEE Trusted OS through 3.15.0. Rated high severity (CVSS 7.8), this vulne
Linaro/OP-TEE OP-TEE 3.3.0 and earlier is affected by: Rounding error. Rated high severity (CVSS 7.5), this vulnerabilit
Same weakness CWE-415 – Double Free
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today