Login Sign Up

CVE-2019-25052

9.1 CRITICAL

📋 TL;DR

This vulnerability in Linaro OP-TEE allows attackers to cause crashes that could leak sensitive information by calling cryptographic functions with inconsistent or malformed data. It affects systems using OP-TEE for trusted execution environments before version 3.7.0. The high CVSS score indicates significant potential impact on confidentiality and availability.

💻 Affected Systems

Products:
  • Linaro OP-TEE
Versions: All versions before 3.7.0
Operating Systems: Linux-based systems with OP-TEE integration
Default Config Vulnerable: ⚠️ Yes
Notes: Affects systems using OP-TEE for trusted execution, including various embedded and mobile devices.

📦 What is this software?

Op Tee by Linaro

View all CVEs affecting Op Tee →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sensitive cryptographic keys and secure memory contents could be leaked, potentially compromising the entire trusted execution environment and enabling further attacks on the system.

🟠

Likely Case

Denial of service through OP-TEE crashes, with possible information leakage about cryptographic operations or memory layout.

🟢

If Mitigated

Limited impact if proper input validation and isolation controls are in place, though the vulnerability still represents a serious security flaw.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires ability to call cryptographic functions with malformed data, typically requiring some level of access to the trusted execution environment.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.7.0 and later

Vendor Advisory: https://github.com/OP-TEE/optee_os/security/advisories/GHSA-pgwr-qmgh-vhmf

Restart Required: Yes

Instructions:

1. Update OP-TEE to version 3.7.0 or later. 2. Rebuild and redeploy the OP-TEE firmware. 3. Reboot the affected systems to load the updated firmware.

🔧 Temporary Workarounds

Input validation enhancement

all

Implement additional input validation for cryptographic function calls

🧯 If You Can't Patch

  • Restrict access to cryptographic functions to trusted components only
  • Implement monitoring for abnormal OP-TEE crashes and investigate any occurrences

🔍 How to Verify

Check if Vulnerable:

Check OP-TEE version: cat /proc/device-tree/firmware/optee/version or check build configuration

Check Version:

cat /proc/device-tree/firmware/optee/version 2>/dev/null || grep 'CFG_OPTEE_REVISION' in build configuration

Verify Fix Applied:

Verify OP-TEE version is 3.7.0 or later and check that the commit 34a08bec755670ea0490cb53bbc68058cafc69b6 is included

📡 Detection & Monitoring

Log Indicators:

  • OP-TEE crash logs
  • Unexpected cryptographic function calls
  • Memory access violations in secure world

SIEM Query:

source="optee" AND (event="crash" OR event="panic" OR event="exception")

📊 Metadata

CVE ID: CVE-2019-25052
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CWE: CWE-327
Published: August 11, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-25052, you might also want to check these:

CVE-2024-51478 9.9

This vulnerability in YesWiki allows attackers to recover password reset keys due to weak cryptograp...

Same vulnerability type (CWE-327)
CVE-2021-22738 9.8

This vulnerability in Schneider Electric homeLYnk and spaceLYnk systems allows attackers to brute-fo...

Same vulnerability type (CWE-327)
CVE-2025-69929 9.8

This vulnerability in N3uron Web User Interface v1.21.7-240207.1047 allows remote attackers to escal...

Same vulnerability type (CWE-327)