CVE-2021-43619

Vulnerability

Trusted Firmware M versions 1.4.x through 1.4.1 contain a buffer overflow vulnerability within the Firmware Update partition. This issue occurs in the IPC model, where a psa_fwu_write caller originating from either the Secure Processing Environment (SPE) or Non-secure Processing Environment (NSPE) can overwrite stack memory locations [1].

Exploitation

An attacker with the ability to call the psa_fwu_write function from either the SPE or NSPE could trigger this vulnerability. The specific conditions or prerequisites for an attacker to gain this calling capability are not detailed in the available references [1, 2].

Impact

Successful exploitation of this buffer overflow vulnerability allows an attacker to overwrite stack memory. This could lead to a denial-of-service condition or potentially allow for arbitrary code execution within the context of the firmware update process, depending on the specific overwrite achieved [1].

Mitigation

Trusted Firmware M versions 1.4.x through 1.4.1 are affected. A fix for this vulnerability has been released in Trusted Firmware M version 1.5.0, which was made available on December 15, 2021 [1]. Users are advised to update to version 1.5.0 or later. No workarounds are described in the available references [2].