STMicroelectronics International N.V.

13 exploits Active since Aug 2022
CVE-2022-36622 WRITEUP HIGH WRITEUP
Samsung mTower < 0.3.0 - NULL Pointer Dereference via TEE_GetObjectInfo1
Samsung Electronics mTower v0.3.0 and earlier was discovered to contain a NULL pointer dereference via the function TEE_GetObjectInfo1.
CVSS 7.5
CVE-2022-36621 WRITEUP HIGH WRITEUP
Samsung mTower < 0.3.0 - NULL Pointer Dereference via TEE_AllocateTransientObject
Samsung Electronics mTower v0.3.0 and earlier was discovered to contain a NULL pointer dereference via the function TEE_AllocateTransientObject.
CVSS 7.5
CVE-2022-36622 WRITEUP HIGH WRITEUP
Samsung mTower < 0.3.0 - NULL Pointer Dereference via TEE_GetObjectInfo1
Samsung Electronics mTower v0.3.0 and earlier was discovered to contain a NULL pointer dereference via the function TEE_GetObjectInfo1.
CVSS 7.5
CVE-2022-40761 WRITEUP HIGH WRITEUP
Samsung mTower < 0.3.0 - Denial of Service via TEE_AllocateOperation Heap Layout Manipulation
The function tee_obj_free in Samsung mTower through 0.3.0 allows a trusted application to trigger a Denial of Service (DoS) by invoking the function TEE_AllocateOperation with a disturbed heap layout, related to utee_cryp_obj_alloc.
CVSS 7.5
CVE-2022-46152 WRITEUP HIGH WRITEUP
OP-TEE Trusted OS <3.19.0 - Buffer Overflow
OP-TEE Trusted OS is the secure side implementation of OP-TEE project, a Trusted Execution Environment. Versions prior to 3.19.0, contain an Improper Validation of Array Index vulnerability. The function `cleanup_shm_refs()` is called by both `entry_invoke_command()` and `entry_open_session()`. The commands `OPTEE_MSG_CMD_OPEN_SESSION` and `OPTEE_MSG_CMD_INVOKE_COMMAND` can be executed from the normal world via an OP-TEE SMC. This function is not validating the `num_params` argument, which is only limited to `OPTEE_MSG_MAX_NUM_PARAMS` (127) in the function `get_cmd_buffer()`. Therefore, an attacker in the normal world can craft an SMC call that will cause out-of-bounds reading in `cleanup_shm_refs` and potentially freeing of fake-objects in the function `mobj_put()`. A normal-world attacker with permission to execute SMC instructions may exploit this flaw. Maintainers believe this problem permits local privilege escalation from the normal world to the secure world. Version 3.19.0 contains a fix for this issue. There are no known workarounds.
CVSS 8.2
CVE-2022-35858 WRITEUP HIGH WRITEUP
Samsung mTower 0.3.0 - Memory Corruption
The TEE_PopulateTransientObject and __utee_from_attr functions in Samsung mTower 0.3.0 allow a trusted application to trigger a memory overwrite, denial of service, and information disclosure by invoking the function TEE_PopulateTransientObject with a large number in the parameter attrCount.
CVSS 7.8
CVE-2022-38155 WRITEUP HIGH WRITEUP
Samsung mTower <0.3.0 - Memory Corruption
TEE_Malloc in Samsung mTower through 0.3.0 allows a trusted application to achieve Excessive Memory Allocation via a large len value, as demonstrated by a Numaker-PFM-M2351 TEE kernel crash.
CVSS 7.5
CVE-2022-40757 WRITEUP HIGH WRITEUP
Samsung mTower <= 0.3.0 - Denial of Service via TEE_MACComputeFinal Excessive Message Length
A Buffer Access with Incorrect Length Value vulnerablity in the TEE_MACComputeFinal function in Samsung mTower through 0.3.0 allows a trusted application to trigger a Denial of Service (DoS) by invoking the function TEE_MACComputeFinal with an excessive size value of messageLen.
CVSS 7.5
CVE-2022-40758 WRITEUP HIGH WRITEUP
Samsung mTower <= 0.3.0 - Denial of Service via TEE_CipherUpdate Excessive Size Value
A Buffer Access with Incorrect Length Value vulnerablity in the TEE_CipherUpdate function in Samsung mTower through 0.3.0 allows a trusted application to trigger a Denial of Service (DoS) by invoking the function TEE_CipherUpdate with an excessive size value of srcLen.
CVSS 7.5
CVE-2022-40759 WRITEUP HIGH WRITEUP
Samsung mTower <= 0.3.0 - Denial of Service via TEE_MACCompareFinal NULL Pointer Dereference
A NULL pointer dereference issue in the TEE_MACCompareFinal function in Samsung mTower through 0.3.0 allows a trusted application to trigger a Denial of Service (DoS) by invoking the function TEE_MACCompareFinal with a NULL pointer for the parameter operation.
CVSS 7.5
CVE-2022-40760 WRITEUP HIGH WRITEUP
Samsung mTower <= 0.3.0 - Denial of Service via TEE_MACUpdate Excessive Chunk Size
A Buffer Access with Incorrect Length Value vulnerablity in the TEE_MACUpdate function in Samsung mTower through 0.3.0 allows a trusted application to trigger a Denial of Service (DoS) by invoking the function TEE_MACUpdate with an excessive size value of chunkSize.
CVSS 7.5
CVE-2022-40761 WRITEUP HIGH WRITEUP
Samsung mTower < 0.3.0 - Denial of Service via TEE_AllocateOperation Heap Layout Manipulation
The function tee_obj_free in Samsung mTower through 0.3.0 allows a trusted application to trigger a Denial of Service (DoS) by invoking the function TEE_AllocateOperation with a disturbed heap layout, related to utee_cryp_obj_alloc.
CVSS 7.5
CVE-2022-40762 WRITEUP HIGH WRITEUP
Samsung mTower <= 0.3.0 - Denial of Service via TEE_Realloc Excessive Size Value
A Memory Allocation with Excessive Size Value vulnerablity in the TEE_Realloc function in Samsung mTower through 0.3.0 allows a trusted application to trigger a Denial of Service (DoS) by invoking the function TEE_Realloc with an excessive number for the parameter len.
CVSS 7.5