Lucene search

GitHub_MVULNRICHMENT:CVE-2024-38532

HistoryJun 28, 2024 - 9:25 p.m.

CVE-2024-38532 TEST_KEY used in example dcp_tool reference implementation

2024-06-2821:25:42

CWE-321

GitHub_M

github.com

nxp data co-processor

cryptographic engine

test key issue

patched vulnerability

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

AI Score

6.9

Confidence

High

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

The NXP Data Co-Processor (DCP) is a built-in hardware module for specific NXP SoCs¹ that implements a dedicated AES cryptographic engine for encryption/decryption operations. The dcp_tool reference implementation included in the repository selected the test key, regardless of its -t argument. This issue has been patched in commit 26a7.

CNA Affected

[
  {
    "vendor": "usbarmory",
    "product": "mxs-dcp",
    "versions": [
      {
        "version": ">= commit 6151, < commit 26a7",
        "status": "affected"
      }
    ]
  }
]

References

github.com/usbarmory/mxs-dcp/commit/e5a99cb3d9429e6145495da7d01525c75af426a7

github.com/usbarmory/mxs-dcp/security/advisories/GHSA-g85c-rh49-p8cq

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

AI Score

6.9

Confidence

High

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

Related for VULNRICHMENT:CVE-2024-38532