CVE-2021-36133 — Incorrect Permission Assignment in Optee-os

CWE-732 — Incorrect Permission Assignment4 documents3 sources

Severity

7.1HIGHNVD

OSV6.5

EPSS

0.1%

top 83.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Optee-os

Timeline

PublishedDec 7

Latest updateOct 23

Description

The OPTEE-OS CSU driver for NXP i.MX SoC devices lacks security access configuration for several models, resulting in TrustZone bypass because the NonSecure World can perform arbitrary memory read/write operations on Secure World memory. This involves a DMA capable peripheral.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 1.8 | Impact: 5.2

Affected Packages1 packages

▶debiandebian/optee-os

🔴Vulnerability Details

OSV

aom vulnerabilities↗2023-10-23

▶

OSV

CVE-2021-36133: The OPTEE-OS CSU driver for NXP i↗2021-12-07

▶

📋Vendor Advisories

Debian

CVE-2021-36133: optee-os - The OPTEE-OS CSU driver for NXP i.MX SoC devices lacks security access configura...↗2021

▶