8.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
8.9 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
5.3%
OP-TEE Trusted OS is the secure side implementation of OP-TEE project, a Trusted Execution Environment. Versions prior to 3.19.0, contain an Improper Validation of Array Index vulnerability. The function cleanup_shm_refs()
is called by both entry_invoke_command()
and entry_open_session()
. The commands OPTEE_MSG_CMD_OPEN_SESSION
and OPTEE_MSG_CMD_INVOKE_COMMAND
can be executed from the normal world via an OP-TEE SMC. This function is not validating the num_params
argument, which is only limited to OPTEE_MSG_MAX_NUM_PARAMS
(127) in the function get_cmd_buffer()
. Therefore, an attacker in the normal world can craft an SMC call that will cause out-of-bounds reading in cleanup_shm_refs
and potentially freeing of fake-objects in the function mobj_put()
. A normal-world attacker with permission to execute SMC instructions may exploit this flaw. Maintainers believe this problem permits local privilege escalation from the normal world to the secure world. Version 3.19.0 contains a fix for this issue. There are no known workarounds.
Vendor | Product | Version | CPE |
---|---|---|---|
op\-tee | op\-tee_os | * | cpe:2.3:o:op\-tee:op\-tee_os:*:*:*:*:*:*:*:* |
[
{
"vendor": "OP-TEE",
"product": "optee_os",
"versions": [
{
"version": "< 3.19.0",
"status": "affected"
}
]
}
]
github.com/OP-TEE/optee_os/blob/c2d449482de098f1c894b94f338440e5a327813d/core/tee/entry_std.c#L257
github.com/OP-TEE/optee_os/commit/728616b28df659cf0bdde6e58a471f6ef25d023c
github.com/OP-TEE/optee_os/security/advisories/GHSA-65w8-6mrg-52g7
nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:X/RC:X/CR:M/IR:M/AR:M/MAV:L/MAC:L/MPR:H/MUI:N/MS:C/MC:H/MI:H/MA:H&version=3.1
8.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
8.9 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
5.3%