CVE-2022-47549Improper Verification of Cryptographic Signature in Optee-os

CWE-347Improper Verification of Cryptographic Signature4 documents4 sources
Severity
6.4MEDIUMNVD
EPSS
0.1%
top 78.79%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Linaro Op-teeDebian Optee-os
Timeline
PublishedDec 19
Latest updateSep 26

Description

An unprotected memory-access operation in optee_os in TrustedFirmware Open Portable Trusted Execution Environment (OP-TEE) before 3.20 allows a physically proximate adversary to bypass signature verification and install malicious trusted applications via electromagnetic fault injections.

CVSS vector

CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 0.5 | Impact: 5.9

Affected Packages2 packages

NVDlinaro/op-tee< 3.20

🔴Vulnerability Details

1
GHSA
GHSA-fpxc-4rrx-f672: An unprotected memory-access operation in optee_os in TrustedFirmware Open Portable Trusted Execution Environment (OP-TEE) before 32022-12-19

📋Vendor Advisories

1
Debian
CVE-2022-47549: optee-os - An unprotected memory-access operation in optee_os in TrustedFirmware Open Porta...2022

📄Research Papers

1
arXiv
SyzTrust: State-aware Fuzzing on Trusted OS Designed for IoT Devices2023-09-26
CVE-2022-47549 — Debian Optee-os vulnerability | cvebase