Search criteria
12 vulnerabilities found for mtm5500_firmware by motorola
FKIE_CVE-2022-27813
Vulnerability from fkie_nvd - Published: 2023-10-19 10:15 - Updated: 2024-11-21 06:56
Severity ?
8.1 (High) - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H
8.2 (High) - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
8.2 (High) - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Summary
Motorola MTM5000 series firmwares lack properly configured memory protection of pages shared between the OMAP-L138 ARM and DSP cores. The SoC provides two memory protection units, MPU1 and MPU2, to enforce the trust boundary between the two cores. Since both units are left unconfigured by the firmwares, an adversary with control over either core can trivially gain code execution on the other, by overwriting code located in shared RAM or DDR2 memory regions.
References
| URL | Tags | ||
|---|---|---|---|
| cert@ncsc.nl | https://tetraburst.com/ | Technical Description | |
| af854a3a-2127-422b-91ae-364da2661108 | https://tetraburst.com/ | Technical Description |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| motorola | mtm5500_firmware | - | |
| motorola | mtm5500 | - | |
| motorola | mtm5400_firmware | - | |
| motorola | mtm5400 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:motorola:mtm5500_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "BB7C0C44-3660-4B47-A1ED-0BD19EFC5F03",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:motorola:mtm5500:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A1A0784B-AE84-4457-A884-5C26EEA8D181",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:motorola:mtm5400_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "FF669A29-B983-40F6-BBA9-D9F67E653BEF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:motorola:mtm5400:-:*:*:*:*:*:*:*",
"matchCriteriaId": "03AA5A43-A1B5-4E1C-A844-691607765E30",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Motorola MTM5000 series firmwares lack properly configured memory protection of pages shared between the OMAP-L138 ARM and DSP cores. The SoC provides two memory protection units, MPU1 and MPU2, to enforce the trust boundary between the two cores. Since both units are left unconfigured by the firmwares, an adversary with control over either core can trivially gain code execution on the other, by overwriting code located in shared RAM or DDR2 memory regions."
},
{
"lang": "es",
"value": "Los firmwares de la serie Motorola MTM5000 carecen de protecci\u00f3n de memoria configurada correctamente para las p\u00e1ginas compartidas entre los n\u00facleos OMAP-L138 ARM y DSP. El SoC proporciona dos unidades de protecci\u00f3n de memoria, MPU1 y MPU2, para reforzar el l\u00edmite de confianza entre los dos n\u00facleos. Dado que los firmwares dejan ambas unidades sin configurar, un adversario con control sobre cualquiera de los n\u00facleos puede obtener trivialmente la ejecuci\u00f3n de c\u00f3digo en el otro, sobrescribiendo el c\u00f3digo ubicado en la RAM compartida o en las regiones de memoria DDR2."
}
],
"id": "CVE-2022-27813",
"lastModified": "2024-11-21T06:56:14.420",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.5,
"impactScore": 6.0,
"source": "cert@ncsc.nl",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.5,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-10-19T10:15:10.013",
"references": [
{
"source": "cert@ncsc.nl",
"tags": [
"Technical Description"
],
"url": "https://tetraburst.com/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Technical Description"
],
"url": "https://tetraburst.com/"
}
],
"sourceIdentifier": "cert@ncsc.nl",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1260"
}
],
"source": "cert@ncsc.nl",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-26941
Vulnerability from fkie_nvd - Published: 2023-10-19 10:15 - Updated: 2024-11-21 06:54
Severity ?
9.6 (Critical) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
A format string vulnerability exists in Motorola MTM5000 series firmware AT command handler for the AT+CTGL command. An attacker-controllable string is improperly handled, allowing for a write-anything-anywhere scenario. This can be leveraged to obtain arbitrary code execution inside the teds_app binary, which runs with root privileges.
References
| URL | Tags | ||
|---|---|---|---|
| cert@ncsc.nl | https://tetraburst.com/ | Technical Description | |
| af854a3a-2127-422b-91ae-364da2661108 | https://tetraburst.com/ | Technical Description |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| motorola | mtm5500_firmware | - | |
| motorola | mtm5500 | - | |
| motorola | mtm5400_firmware | - | |
| motorola | mtm5400 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:motorola:mtm5500_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "BB7C0C44-3660-4B47-A1ED-0BD19EFC5F03",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:motorola:mtm5500:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A1A0784B-AE84-4457-A884-5C26EEA8D181",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:motorola:mtm5400_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "FF669A29-B983-40F6-BBA9-D9F67E653BEF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:motorola:mtm5400:-:*:*:*:*:*:*:*",
"matchCriteriaId": "03AA5A43-A1B5-4E1C-A844-691607765E30",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A format string vulnerability exists in Motorola MTM5000 series firmware AT command handler for the AT+CTGL command. An attacker-controllable string is improperly handled, allowing for a write-anything-anywhere scenario. This can be leveraged to obtain arbitrary code execution inside the teds_app binary, which runs with root privileges."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de cadena de formato en el controlador de comandos AT del firmware de la serie Motorola MTM5000 para el comando AT+CTGL. Una cadena controlable por un atacante se maneja incorrectamente, lo que permite un escenario en el que se puede escribir cualquier cosa en cualquier lugar. Esto se puede aprovechar para obtener la ejecuci\u00f3n de c\u00f3digo arbitrario dentro del binario teds_app, que se ejecuta con privilegios de root."
}
],
"id": "CVE-2022-26941",
"lastModified": "2024-11-21T06:54:50.533",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 6.0,
"source": "cert@ncsc.nl",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-10-19T10:15:09.860",
"references": [
{
"source": "cert@ncsc.nl",
"tags": [
"Technical Description"
],
"url": "https://tetraburst.com/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Technical Description"
],
"url": "https://tetraburst.com/"
}
],
"sourceIdentifier": "cert@ncsc.nl",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-134"
}
],
"source": "cert@ncsc.nl",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-134"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-26943
Vulnerability from fkie_nvd - Published: 2023-10-19 10:15 - Updated: 2024-11-21 06:54
Severity ?
8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
The Motorola MTM5000 series firmwares generate TETRA authentication challenges using a PRNG using a tick count register as its sole entropy source. Low boottime entropy and limited re-seeding of the pool renders the authentication challenge vulnerable to two attacks. First, due to the limited boottime pool entropy, an adversary can derive the contents of the entropy pool by an exhaustive search of possible values, based on an observed authentication challenge. Second, an adversary can use knowledge of the entropy pool to predict authentication challenges. As such, the unit is vulnerable to CVE-2022-24400.
References
| URL | Tags | ||
|---|---|---|---|
| cert@ncsc.nl | https://tetraburst.com/ | Technical Description | |
| af854a3a-2127-422b-91ae-364da2661108 | https://tetraburst.com/ | Technical Description |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| motorola | mtm5500_firmware | - | |
| motorola | mtm5500 | - | |
| motorola | mtm5400_firmware | - | |
| motorola | mtm5400 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:motorola:mtm5500_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "BB7C0C44-3660-4B47-A1ED-0BD19EFC5F03",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:motorola:mtm5500:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A1A0784B-AE84-4457-A884-5C26EEA8D181",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:motorola:mtm5400_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "FF669A29-B983-40F6-BBA9-D9F67E653BEF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:motorola:mtm5400:-:*:*:*:*:*:*:*",
"matchCriteriaId": "03AA5A43-A1B5-4E1C-A844-691607765E30",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Motorola MTM5000 series firmwares generate TETRA authentication challenges using a PRNG using a tick count register as its sole entropy source. Low boottime entropy and limited re-seeding of the pool renders the authentication challenge vulnerable to two attacks. First, due to the limited boottime pool entropy, an adversary can derive the contents of the entropy pool by an exhaustive search of possible values, based on an observed authentication challenge. Second, an adversary can use knowledge of the entropy pool to predict authentication challenges. As such, the unit is vulnerable to CVE-2022-24400."
},
{
"lang": "es",
"value": "Los firmwares de la serie Motorola MTM5000 generan desaf\u00edos de autenticaci\u00f3n TETRA utilizando un PRNG que utiliza un registro de conteo de ticks como \u00fanica fuente de entrop\u00eda. La baja entrop\u00eda del tiempo de arranque y la resiembra limitada del grupo hacen que el desaf\u00edo de autenticaci\u00f3n sea vulnerable a dos ataques. En primer lugar, debido a la entrop\u00eda limitada del grupo de tiempo de arranque, un adversario puede derivar el contenido del grupo de entrop\u00eda mediante una b\u00fasqueda exhaustiva de valores posibles, bas\u00e1ndose en un desaf\u00edo de autenticaci\u00f3n observado. En segundo lugar, un adversario puede utilizar el conocimiento del conjunto de entrop\u00eda para predecir los desaf\u00edos de autenticaci\u00f3n. Como tal, la unidad es vulnerable a CVE-2022-24400."
}
],
"id": "CVE-2022-26943",
"lastModified": "2024-11-21T06:54:50.800",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "cert@ncsc.nl",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-10-19T10:15:09.963",
"references": [
{
"source": "cert@ncsc.nl",
"tags": [
"Technical Description"
],
"url": "https://tetraburst.com/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Technical Description"
],
"url": "https://tetraburst.com/"
}
],
"sourceIdentifier": "cert@ncsc.nl",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-338"
}
],
"source": "cert@ncsc.nl",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-338"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-26942
Vulnerability from fkie_nvd - Published: 2023-10-19 10:15 - Updated: 2024-11-21 06:54
Severity ?
8.2 (High) - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
8.2 (High) - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
8.2 (High) - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Summary
The Motorola MTM5000 series firmwares lack pointer validation on arguments passed to trusted execution environment (TEE) modules. Two modules are used, one responsible for KVL key management and the other for TETRA cryptographic functionality. In both modules, an adversary with non-secure supervisor level code execution can exploit the issue in order to gain secure supervisor code execution within the TEE. This constitutes a full break of the TEE module, exposing the device key as well as any TETRA cryptographic keys and the confidential TETRA cryptographic primitives.
References
| URL | Tags | ||
|---|---|---|---|
| cert@ncsc.nl | https://tetraburst.com/ | Technical Description | |
| af854a3a-2127-422b-91ae-364da2661108 | https://tetraburst.com/ | Technical Description |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| motorola | mtm5500_firmware | - | |
| motorola | mtm5500 | - | |
| motorola | mtm5400_firmware | - | |
| motorola | mtm5400 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:motorola:mtm5500_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "BB7C0C44-3660-4B47-A1ED-0BD19EFC5F03",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:motorola:mtm5500:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A1A0784B-AE84-4457-A884-5C26EEA8D181",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:motorola:mtm5400_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "FF669A29-B983-40F6-BBA9-D9F67E653BEF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:motorola:mtm5400:-:*:*:*:*:*:*:*",
"matchCriteriaId": "03AA5A43-A1B5-4E1C-A844-691607765E30",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Motorola MTM5000 series firmwares lack pointer validation on arguments passed to trusted execution environment (TEE) modules. Two modules are used, one responsible for KVL key management and the other for TETRA cryptographic functionality. In both modules, an adversary with non-secure supervisor level code execution can exploit the issue in order to gain secure supervisor code execution within the TEE. This constitutes a full break of the TEE module, exposing the device key as well as any TETRA cryptographic keys and the confidential TETRA cryptographic primitives. "
},
{
"lang": "es",
"value": "Los firmwares de la serie Motorola MTM5000 carecen de validaci\u00f3n de puntero en los argumentos pasados a los m\u00f3dulos Trusted Execution Environment (TEE). Se utilizan dos m\u00f3dulos, uno responsable de la gesti\u00f3n de claves KVL y el otro de la funcionalidad criptogr\u00e1fica TETRA. En ambos m\u00f3dulos, un adversario con una ejecuci\u00f3n de c\u00f3digo de nivel de supervisor no segura puede aprovechar el problema para obtener una ejecuci\u00f3n segura de c\u00f3digo de supervisor dentro del TEE. Esto constituye una ruptura total del m\u00f3dulo TEE, exponiendo la clave del dispositivo, as\u00ed como cualquier clave criptogr\u00e1fica TETRA y las primitivas criptogr\u00e1ficas TETRA confidenciales."
}
],
"id": "CVE-2022-26942",
"lastModified": "2024-11-21T06:54:50.667",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.5,
"impactScore": 6.0,
"source": "cert@ncsc.nl",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.5,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-10-19T10:15:09.913",
"references": [
{
"source": "cert@ncsc.nl",
"tags": [
"Technical Description"
],
"url": "https://tetraburst.com/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Technical Description"
],
"url": "https://tetraburst.com/"
}
],
"sourceIdentifier": "cert@ncsc.nl",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-822"
}
],
"source": "cert@ncsc.nl",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-763"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2022-26941 (GCVE-0-2022-26941)
Vulnerability from cvelistv5 – Published: 2023-10-19 09:35 – Updated: 2024-09-12 20:28
VLAI?
Title
Format string vulnerability in AT+CTGL command in Motorola MTM5000
Summary
A format string vulnerability exists in Motorola MTM5000 series firmware AT command handler for the AT+CTGL command. An attacker-controllable string is improperly handled, allowing for a write-anything-anywhere scenario. This can be leveraged to obtain arbitrary code execution inside the teds_app binary, which runs with root privileges.
Severity ?
CWE
- CWE-134 - Use of Externally-Controlled Format String
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Motorola | Mobile Radio |
Affected:
MTM5000
|
Credits
Midnight Blue
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:18:38.375Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "TETRA:BURST",
"tags": [
"related",
"x_transferred"
],
"url": "https://tetraburst.com/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:motorola:mobile_radio:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mobile_radio",
"vendor": "motorola",
"versions": [
{
"status": "affected",
"version": "mtm5000"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-26941",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-12T20:25:32.359297Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T20:28:58.903Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Mobile Radio",
"vendor": "Motorola",
"versions": [
{
"status": "affected",
"version": "MTM5000"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Midnight Blue"
}
],
"descriptions": [
{
"lang": "en",
"value": "A format string vulnerability exists in Motorola MTM5000 series firmware AT command handler for the AT+CTGL command. An attacker-controllable string is improperly handled, allowing for a write-anything-anywhere scenario. This can be leveraged to obtain arbitrary code execution inside the teds_app binary, which runs with root privileges."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:U/RC:C/CR:X/IR:X/AR:X/MAV:A/MAC:L/MPR:N/MUI:N/MS:C/MC:H/MI:H/MA:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-134",
"description": "Use of Externally-Controlled Format String",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"shortName": "NCSC-NL"
},
"references": [
{
"name": "TETRA:BURST",
"tags": [
"related"
],
"url": "https://tetraburst.com/"
}
],
"title": "Format string vulnerability in AT+CTGL command in Motorola MTM5000"
}
},
"cveMetadata": {
"assignerOrgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"assignerShortName": "NCSC-NL",
"cveId": "CVE-2022-26941",
"datePublished": "2023-10-19T09:35:52.646Z",
"dateReserved": "2022-03-11T22:19:24.847Z",
"dateUpdated": "2024-09-12T20:28:58.903Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-26942 (GCVE-0-2022-26942)
Vulnerability from cvelistv5 – Published: 2023-10-19 09:35 – Updated: 2024-08-03 05:18
VLAI?
Title
Multiple missing pointer validation checks in trusted execution module in Motorola MTM5000
Summary
The Motorola MTM5000 series firmwares lack pointer validation on arguments passed to trusted execution environment (TEE) modules. Two modules are used, one responsible for KVL key management and the other for TETRA cryptographic functionality. In both modules, an adversary with non-secure supervisor level code execution can exploit the issue in order to gain secure supervisor code execution within the TEE. This constitutes a full break of the TEE module, exposing the device key as well as any TETRA cryptographic keys and the confidential TETRA cryptographic primitives.
Severity ?
CWE
- CWE-822 - Untrusted Pointer Dereference
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Motorola | Mobile Radio |
Affected:
MTM5000
|
Credits
Midnight Blue
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:h:motorola:mtm5000_series_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mtm5000_series_firmware",
"vendor": "motorola",
"versions": [
{
"status": "affected",
"version": "0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-26942",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-15T16:23:58.876138Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T16:25:32.089Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:18:38.371Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "TETRA:BURST",
"tags": [
"related",
"x_transferred"
],
"url": "https://tetraburst.com/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Mobile Radio",
"vendor": "Motorola",
"versions": [
{
"status": "affected",
"version": "MTM5000"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Midnight Blue"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Motorola MTM5000 series firmwares lack pointer validation on arguments passed to trusted execution environment (TEE) modules. Two modules are used, one responsible for KVL key management and the other for TETRA cryptographic functionality. In both modules, an adversary with non-secure supervisor level code execution can exploit the issue in order to gain secure supervisor code execution within the TEE. This constitutes a full break of the TEE module, exposing the device key as well as any TETRA cryptographic keys and the confidential TETRA cryptographic primitives. "
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:F/RL:U/RC:C/CR:X/IR:X/AR:X/MAV:L/MAC:L/MPR:H/MUI:N/MS:C/MC:H/MI:H/MA:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-822",
"description": "Untrusted Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"shortName": "NCSC-NL"
},
"references": [
{
"name": "TETRA:BURST",
"tags": [
"related"
],
"url": "https://tetraburst.com/"
}
],
"title": "Multiple missing pointer validation checks in trusted execution module in Motorola MTM5000"
}
},
"cveMetadata": {
"assignerOrgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"assignerShortName": "NCSC-NL",
"cveId": "CVE-2022-26942",
"datePublished": "2023-10-19T09:35:24.386Z",
"dateReserved": "2022-03-11T22:19:24.848Z",
"dateUpdated": "2024-08-03T05:18:38.371Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-27813 (GCVE-0-2022-27813)
Vulnerability from cvelistv5 – Published: 2023-10-19 09:34 – Updated: 2024-08-03 05:33
VLAI?
Title
Unconfigured memory protection modules in Motorola MTM5000
Summary
Motorola MTM5000 series firmwares lack properly configured memory protection of pages shared between the OMAP-L138 ARM and DSP cores. The SoC provides two memory protection units, MPU1 and MPU2, to enforce the trust boundary between the two cores. Since both units are left unconfigured by the firmwares, an adversary with control over either core can trivially gain code execution on the other, by overwriting code located in shared RAM or DDR2 memory regions.
Severity ?
CWE
- CWE-1260 - Improper Handling of Overlap Between Protected Memory Ranges
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Motorola | Mobile Radio |
Affected:
MTM5000
|
Credits
Midnight Blue
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-27813",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-15T15:42:18.505018Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-16T13:32:53.489Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:33:00.474Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "TETRA:BURST",
"tags": [
"related",
"x_transferred"
],
"url": "https://tetraburst.com/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Mobile Radio",
"vendor": "Motorola",
"versions": [
{
"status": "affected",
"version": "MTM5000"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Midnight Blue"
}
],
"descriptions": [
{
"lang": "en",
"value": "Motorola MTM5000 series firmwares lack properly configured memory protection of pages shared between the OMAP-L138 ARM and DSP cores. The SoC provides two memory protection units, MPU1 and MPU2, to enforce the trust boundary between the two cores. Since both units are left unconfigured by the firmwares, an adversary with control over either core can trivially gain code execution on the other, by overwriting code located in shared RAM or DDR2 memory regions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H/E:F/RL:U/RC:C/CR:X/IR:X/AR:X/MAV:L/MAC:L/MPR:H/MUI:N/MS:C/MC:L/MI:H/MA:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1260",
"description": "Improper Handling of Overlap Between Protected Memory Ranges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"shortName": "NCSC-NL"
},
"references": [
{
"name": "TETRA:BURST",
"tags": [
"related"
],
"url": "https://tetraburst.com/"
}
],
"title": "Unconfigured memory protection modules in Motorola MTM5000"
}
},
"cveMetadata": {
"assignerOrgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"assignerShortName": "NCSC-NL",
"cveId": "CVE-2022-27813",
"datePublished": "2023-10-19T09:34:44.148Z",
"dateReserved": "2022-03-24T03:04:57.475Z",
"dateUpdated": "2024-08-03T05:33:00.474Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-26943 (GCVE-0-2022-26943)
Vulnerability from cvelistv5 – Published: 2023-10-19 09:34 – Updated: 2024-08-03 05:18
VLAI?
Title
Weak PRNG entropy source used for authentication challenge generation in Motorola MTM5000
Summary
The Motorola MTM5000 series firmwares generate TETRA authentication challenges using a PRNG using a tick count register as its sole entropy source. Low boottime entropy and limited re-seeding of the pool renders the authentication challenge vulnerable to two attacks. First, due to the limited boottime pool entropy, an adversary can derive the contents of the entropy pool by an exhaustive search of possible values, based on an observed authentication challenge. Second, an adversary can use knowledge of the entropy pool to predict authentication challenges. As such, the unit is vulnerable to CVE-2022-24400.
Severity ?
CWE
- CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Motorola | Mobile Radio |
Affected:
MTM5000
|
Credits
Midnight Blue
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:h:motorola:mtm5000_series_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mtm5000_series_firmware",
"vendor": "motorola",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-26943",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-15T14:13:05.693366Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T15:28:46.797Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:18:38.337Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "TETRA:BURST",
"tags": [
"related",
"x_transferred"
],
"url": "https://tetraburst.com/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Mobile Radio",
"vendor": "Motorola",
"versions": [
{
"status": "affected",
"version": "MTM5000"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Midnight Blue"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Motorola MTM5000 series firmwares generate TETRA authentication challenges using a PRNG using a tick count register as its sole entropy source. Low boottime entropy and limited re-seeding of the pool renders the authentication challenge vulnerable to two attacks. First, due to the limited boottime pool entropy, an adversary can derive the contents of the entropy pool by an exhaustive search of possible values, based on an observed authentication challenge. Second, an adversary can use knowledge of the entropy pool to predict authentication challenges. As such, the unit is vulnerable to CVE-2022-24400."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:U/RC:C/CR:H/IR:H/AR:H/MAV:A/MAC:L/MPR:N/MUI:N/MS:U/MC:H/MI:H/MA:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-338",
"description": "Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"shortName": "NCSC-NL"
},
"references": [
{
"name": "TETRA:BURST",
"tags": [
"related"
],
"url": "https://tetraburst.com/"
}
],
"title": "Weak PRNG entropy source used for authentication challenge generation in Motorola MTM5000"
}
},
"cveMetadata": {
"assignerOrgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"assignerShortName": "NCSC-NL",
"cveId": "CVE-2022-26943",
"datePublished": "2023-10-19T09:34:20.646Z",
"dateReserved": "2022-03-11T22:19:24.849Z",
"dateUpdated": "2024-08-03T05:18:38.337Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-26941 (GCVE-0-2022-26941)
Vulnerability from nvd – Published: 2023-10-19 09:35 – Updated: 2024-09-12 20:28
VLAI?
Title
Format string vulnerability in AT+CTGL command in Motorola MTM5000
Summary
A format string vulnerability exists in Motorola MTM5000 series firmware AT command handler for the AT+CTGL command. An attacker-controllable string is improperly handled, allowing for a write-anything-anywhere scenario. This can be leveraged to obtain arbitrary code execution inside the teds_app binary, which runs with root privileges.
Severity ?
CWE
- CWE-134 - Use of Externally-Controlled Format String
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Motorola | Mobile Radio |
Affected:
MTM5000
|
Credits
Midnight Blue
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:18:38.375Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "TETRA:BURST",
"tags": [
"related",
"x_transferred"
],
"url": "https://tetraburst.com/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:motorola:mobile_radio:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mobile_radio",
"vendor": "motorola",
"versions": [
{
"status": "affected",
"version": "mtm5000"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-26941",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-12T20:25:32.359297Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T20:28:58.903Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Mobile Radio",
"vendor": "Motorola",
"versions": [
{
"status": "affected",
"version": "MTM5000"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Midnight Blue"
}
],
"descriptions": [
{
"lang": "en",
"value": "A format string vulnerability exists in Motorola MTM5000 series firmware AT command handler for the AT+CTGL command. An attacker-controllable string is improperly handled, allowing for a write-anything-anywhere scenario. This can be leveraged to obtain arbitrary code execution inside the teds_app binary, which runs with root privileges."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:U/RC:C/CR:X/IR:X/AR:X/MAV:A/MAC:L/MPR:N/MUI:N/MS:C/MC:H/MI:H/MA:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-134",
"description": "Use of Externally-Controlled Format String",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"shortName": "NCSC-NL"
},
"references": [
{
"name": "TETRA:BURST",
"tags": [
"related"
],
"url": "https://tetraburst.com/"
}
],
"title": "Format string vulnerability in AT+CTGL command in Motorola MTM5000"
}
},
"cveMetadata": {
"assignerOrgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"assignerShortName": "NCSC-NL",
"cveId": "CVE-2022-26941",
"datePublished": "2023-10-19T09:35:52.646Z",
"dateReserved": "2022-03-11T22:19:24.847Z",
"dateUpdated": "2024-09-12T20:28:58.903Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-26942 (GCVE-0-2022-26942)
Vulnerability from nvd – Published: 2023-10-19 09:35 – Updated: 2024-08-03 05:18
VLAI?
Title
Multiple missing pointer validation checks in trusted execution module in Motorola MTM5000
Summary
The Motorola MTM5000 series firmwares lack pointer validation on arguments passed to trusted execution environment (TEE) modules. Two modules are used, one responsible for KVL key management and the other for TETRA cryptographic functionality. In both modules, an adversary with non-secure supervisor level code execution can exploit the issue in order to gain secure supervisor code execution within the TEE. This constitutes a full break of the TEE module, exposing the device key as well as any TETRA cryptographic keys and the confidential TETRA cryptographic primitives.
Severity ?
CWE
- CWE-822 - Untrusted Pointer Dereference
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Motorola | Mobile Radio |
Affected:
MTM5000
|
Credits
Midnight Blue
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:h:motorola:mtm5000_series_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mtm5000_series_firmware",
"vendor": "motorola",
"versions": [
{
"status": "affected",
"version": "0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-26942",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-15T16:23:58.876138Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T16:25:32.089Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:18:38.371Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "TETRA:BURST",
"tags": [
"related",
"x_transferred"
],
"url": "https://tetraburst.com/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Mobile Radio",
"vendor": "Motorola",
"versions": [
{
"status": "affected",
"version": "MTM5000"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Midnight Blue"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Motorola MTM5000 series firmwares lack pointer validation on arguments passed to trusted execution environment (TEE) modules. Two modules are used, one responsible for KVL key management and the other for TETRA cryptographic functionality. In both modules, an adversary with non-secure supervisor level code execution can exploit the issue in order to gain secure supervisor code execution within the TEE. This constitutes a full break of the TEE module, exposing the device key as well as any TETRA cryptographic keys and the confidential TETRA cryptographic primitives. "
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:F/RL:U/RC:C/CR:X/IR:X/AR:X/MAV:L/MAC:L/MPR:H/MUI:N/MS:C/MC:H/MI:H/MA:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-822",
"description": "Untrusted Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"shortName": "NCSC-NL"
},
"references": [
{
"name": "TETRA:BURST",
"tags": [
"related"
],
"url": "https://tetraburst.com/"
}
],
"title": "Multiple missing pointer validation checks in trusted execution module in Motorola MTM5000"
}
},
"cveMetadata": {
"assignerOrgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"assignerShortName": "NCSC-NL",
"cveId": "CVE-2022-26942",
"datePublished": "2023-10-19T09:35:24.386Z",
"dateReserved": "2022-03-11T22:19:24.848Z",
"dateUpdated": "2024-08-03T05:18:38.371Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-27813 (GCVE-0-2022-27813)
Vulnerability from nvd – Published: 2023-10-19 09:34 – Updated: 2024-08-03 05:33
VLAI?
Title
Unconfigured memory protection modules in Motorola MTM5000
Summary
Motorola MTM5000 series firmwares lack properly configured memory protection of pages shared between the OMAP-L138 ARM and DSP cores. The SoC provides two memory protection units, MPU1 and MPU2, to enforce the trust boundary between the two cores. Since both units are left unconfigured by the firmwares, an adversary with control over either core can trivially gain code execution on the other, by overwriting code located in shared RAM or DDR2 memory regions.
Severity ?
CWE
- CWE-1260 - Improper Handling of Overlap Between Protected Memory Ranges
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Motorola | Mobile Radio |
Affected:
MTM5000
|
Credits
Midnight Blue
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-27813",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-15T15:42:18.505018Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-16T13:32:53.489Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:33:00.474Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "TETRA:BURST",
"tags": [
"related",
"x_transferred"
],
"url": "https://tetraburst.com/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Mobile Radio",
"vendor": "Motorola",
"versions": [
{
"status": "affected",
"version": "MTM5000"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Midnight Blue"
}
],
"descriptions": [
{
"lang": "en",
"value": "Motorola MTM5000 series firmwares lack properly configured memory protection of pages shared between the OMAP-L138 ARM and DSP cores. The SoC provides two memory protection units, MPU1 and MPU2, to enforce the trust boundary between the two cores. Since both units are left unconfigured by the firmwares, an adversary with control over either core can trivially gain code execution on the other, by overwriting code located in shared RAM or DDR2 memory regions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H/E:F/RL:U/RC:C/CR:X/IR:X/AR:X/MAV:L/MAC:L/MPR:H/MUI:N/MS:C/MC:L/MI:H/MA:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1260",
"description": "Improper Handling of Overlap Between Protected Memory Ranges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"shortName": "NCSC-NL"
},
"references": [
{
"name": "TETRA:BURST",
"tags": [
"related"
],
"url": "https://tetraburst.com/"
}
],
"title": "Unconfigured memory protection modules in Motorola MTM5000"
}
},
"cveMetadata": {
"assignerOrgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"assignerShortName": "NCSC-NL",
"cveId": "CVE-2022-27813",
"datePublished": "2023-10-19T09:34:44.148Z",
"dateReserved": "2022-03-24T03:04:57.475Z",
"dateUpdated": "2024-08-03T05:33:00.474Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-26943 (GCVE-0-2022-26943)
Vulnerability from nvd – Published: 2023-10-19 09:34 – Updated: 2024-08-03 05:18
VLAI?
Title
Weak PRNG entropy source used for authentication challenge generation in Motorola MTM5000
Summary
The Motorola MTM5000 series firmwares generate TETRA authentication challenges using a PRNG using a tick count register as its sole entropy source. Low boottime entropy and limited re-seeding of the pool renders the authentication challenge vulnerable to two attacks. First, due to the limited boottime pool entropy, an adversary can derive the contents of the entropy pool by an exhaustive search of possible values, based on an observed authentication challenge. Second, an adversary can use knowledge of the entropy pool to predict authentication challenges. As such, the unit is vulnerable to CVE-2022-24400.
Severity ?
CWE
- CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Motorola | Mobile Radio |
Affected:
MTM5000
|
Credits
Midnight Blue
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:h:motorola:mtm5000_series_firmware:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mtm5000_series_firmware",
"vendor": "motorola",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-26943",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-15T14:13:05.693366Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T15:28:46.797Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:18:38.337Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "TETRA:BURST",
"tags": [
"related",
"x_transferred"
],
"url": "https://tetraburst.com/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Mobile Radio",
"vendor": "Motorola",
"versions": [
{
"status": "affected",
"version": "MTM5000"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Midnight Blue"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Motorola MTM5000 series firmwares generate TETRA authentication challenges using a PRNG using a tick count register as its sole entropy source. Low boottime entropy and limited re-seeding of the pool renders the authentication challenge vulnerable to two attacks. First, due to the limited boottime pool entropy, an adversary can derive the contents of the entropy pool by an exhaustive search of possible values, based on an observed authentication challenge. Second, an adversary can use knowledge of the entropy pool to predict authentication challenges. As such, the unit is vulnerable to CVE-2022-24400."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:U/RC:C/CR:H/IR:H/AR:H/MAV:A/MAC:L/MPR:N/MUI:N/MS:U/MC:H/MI:H/MA:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-338",
"description": "Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T00:27:54.327174Z",
"orgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"shortName": "NCSC-NL"
},
"references": [
{
"name": "TETRA:BURST",
"tags": [
"related"
],
"url": "https://tetraburst.com/"
}
],
"title": "Weak PRNG entropy source used for authentication challenge generation in Motorola MTM5000"
}
},
"cveMetadata": {
"assignerOrgId": "cf4a7ff5-dd38-4ede-a530-ffaa7ea59c39",
"assignerShortName": "NCSC-NL",
"cveId": "CVE-2022-26943",
"datePublished": "2023-10-19T09:34:20.646Z",
"dateReserved": "2022-03-11T22:19:24.849Z",
"dateUpdated": "2024-08-03T05:18:38.337Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}