CVE-2022-27813

Unconfigured memory protection modules in Motorola MTM5000

CVSS 8.1 HIGHEPSS 0.2%CWE-1260

In short

Motorola MTM5000 radios fail to properly protect shared memory between two processor cores, allowing an attacker who controls one core to take over the other by overwriting code in shared memory.

Technical detail

The firmware does not configure the MPU1 and MPU2 memory protection units on the OMAP-L138 SoC, leaving the trust boundary between ARM and DSP cores unenforced. An adversary with code execution on either core can exploit this to gain arbitrary code execution on the other core by modifying shared RAM or DDR2 regions.

Summary generated and translated by AI from the official description.

Motorola MTM5000 series firmwares lack properly configured memory protection of pages shared between the OMAP-L138 ARM and DSP cores. The SoC provides two memory protection units, MPU1 and MPU2, to enforce the trust boundary between the two cores. Since both units are left unconfigured by the firmwares, an adversary with control over either core can trivially gain code execution on the other, by overwriting code located in shared RAM or DDR2 memory regions.

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H/E:F/RL:U/RC:C/CR:X/IR:X/AR:X/MAV:L/MAC:L/MPR:H/MUI:N/MS:C/MC:L/MI:H/MA:H

Affected products

Motorola · Mobile Radio

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://tetraburst.com/