Linaro OP-TEE up to 3.3.0 optee_os out-of-bounds write

Summaryinfo

A vulnerability has been found in Linaro OP-TEE up to 3.3.0 and classified as critical. This vulnerability affects unknown code of the component optee_os. This manipulation causes input validation. This vulnerability appears as CVE-2019-1010293. The attack may be initiated remotely. There is no available exploit. The affected component should be upgraded.

Detailsinfo

A vulnerability was found in Linaro OP-TEE up to 3.3.0. It has been declared as critical. Affected by this vulnerability is an unknown part of the component optee_os. The manipulation with an unknown input leads to a input validation vulnerability. The CWE definition for the vulnerability is CWE-787. The product writes data past the end, or before the beginning, of the intended buffer. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

Linaro/OP-TEE OP-TEE 3.3.0 and earlier is affected by: Boundary crossing. The impact is: Memory corruption of the TEE itself. The component is: optee_os. The fixed version is: 3.4.0 and later.

The weakness was presented 07/15/2019. This vulnerability is known as CVE-2019-1010293 since 03/20/2019. The attack can be launched remotely. The exploitation doesn't need any form of authentication. Neither technical details nor an exploit are publicly available.

Upgrading to version 3.4.0 eliminates this vulnerability.

See VDB-137837, VDB-137836, VDB-137835 and VDB-137834 for similar entries. Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Vendor

• Linaro

Name

• OP-TEE

Version

• 3.0
• 3.1
• 3.2
• 3.3.0

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion