OP-TEE PKCS#11 Trusted Application Out-of-Bounds Read Vulnerability

A vulnerability in the OP-TEE PKCS#11 Trusted Application (TA) has been identified, affecting versions 3.13.0 prior to 4.10.0. The issue arises from missing checks in the function 'entry_get_attribute_value()' within 'ta/pkcs11/src/object.c', which can lead to an out-of-bounds read from the PKCS#11 TA heap or cause a crash. This vulnerability can be exploited by sending a malformed template parameter to the 'PKCS11_CMD_GET_ATTRIBUTE_VALUE' command, tricking the application into reading up to 7 bytes beyond the intended buffer and writing over the buffer's end with attribute data from a PKCS#11 object.

Impact

Exploitation of this vulnerability can result in an out-of-bounds read, leading to unauthorized memory access and potential information leakage from the PKCS#11 TA heap. This could include sensitive data such as secret keys that have not been properly cleared from memory. Additionally, the vulnerability allows for memory corruption by writing beyond allocated buffers, which could disrupt normal application operation and cause crashes.

Remediation

Users can upgrade to OP-TEE version 4.11.0 or later, where this vulnerability has been patched.