CVE-2021-33478

CWE-119 — Buffer Overflow CWE-120 — Classic Buffer Overflow4 documents4 sources

Severity

6.8MEDIUM

EPSS

0.1%

top 67.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cisco IP Phone 8800 Firmware Cisco IP Phone 8800 Series With Multiplatform Firmware Cisco IP Phone 8811 Firmware +12 more

Timeline

PublishedJul 22

Latest updateMay 24

Description

The TrustZone implementation in certain Broadcom MediaxChange firmware could allow an unauthenticated, physically proximate attacker to achieve arbitrary code execution in the TrustZone Trusted Execution Environment (TEE) of an affected device. This, for example, affects certain Cisco IP Phone and Wireless IP Phone products before 2021-07-07. Exploitation is possible only when the attacker can disassemble the device in order to control the voltage/current for chip pins.

CVSS vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 0.9 | Impact: 5.9

Affected Packages15 packages

▶NVDcisco/wireless_ip_phone_8821_firmware< 11.0\(6\)sr1

▶NVDcisco/ip_phone_8800_firmware< 14.0\(1\)

▶NVDcisco/ip_phone_8811_firmware< 14.0\(1\)

▶NVDcisco/ip_phone_8841_firmware< 14.0\(1\)

▶NVDcisco/ip_phone_8845_firmware< 14.0\(1\)

🔴Vulnerability Details

GHSA

GHSA-vh28-q6j2-63w7: The TrustZone implementation in certain Broadcom MediaxChange firmware could allow an unauthenticated, physically proximate attacker to achieve arbitr↗2022-05-24

▶

CVEList

CVE-2021-33478: The TrustZone implementation in certain Broadcom MediaxChange firmware could allow an unauthenticated, physically proximate attacker to achieve arbitr↗2021-07-22

▶

📋Vendor Advisories

Cisco

Broadcom MediaxChange Vulnerability Affecting Cisco Products: July 2021↗2021-07-07

▶