CVE-2021-36133
📋 TL;DR
This vulnerability allows attackers to bypass TrustZone security on affected NXP i.MX SoC devices by exploiting a DMA-capable peripheral to read/write Secure World memory from the NonSecure World. It affects systems using OPTEE-OS CSU driver without proper security access configuration. This impacts embedded devices, IoT systems, and industrial control systems using vulnerable NXP chips.
💻 Affected Systems
- NXP i.MX 6, i.MX 7, i.MX 8M, i.MX 8M Mini, i.MX 8M Nano, i.MX 8M Plus SoCs
📦 What is this software?
Op Tee by Linaro
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of TrustZone secure environment, extraction of cryptographic keys and sensitive data, execution of arbitrary code in secure world, and permanent device compromise.
Likely Case
Extraction of sensitive data from secure world, manipulation of secure processes, and potential privilege escalation to secure execution environment.
If Mitigated
Limited impact if proper network segmentation and access controls prevent physical or local access to vulnerable devices.
🎯 Exploit Status
Exploitation requires DMA peripheral access; proof-of-concept available in advisory references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: OPTEE-OS 3.14.0 and later
Vendor Advisory: https://github.com/OP-TEE/optee_os/security/advisories/GHSA-5wj2-8fj2-8j6x
Restart Required: Yes
Instructions:
1. Update OPTEE-OS to version 3.14.0 or later. 2. Rebuild and redeploy secure firmware. 3. Update bootloader and system firmware as needed. 4. Perform full system reboot.
🔧 Temporary Workarounds
Disable vulnerable DMA peripherals
linuxDisable or restrict access to DMA-capable peripherals that could be used for exploitation.
Check device tree configurations for peripheral access controls
Modify /etc/modprobe.d/ to blacklist vulnerable drivers
Implement memory access restrictions
linuxConfigure memory protection units (MPUs) or system memory controllers to restrict NonSecure World access.
Configure SoC-specific memory controller settings
Implement secure boot with verified firmware
🧯 If You Can't Patch
- Isolate vulnerable devices on segmented networks with strict access controls
- Implement physical security controls to prevent unauthorized device access
🔍 How to Verify
Check if Vulnerable:
Check OPTEE-OS version: cat /proc/device-tree/firmware/optee/version or check boot logs for OPTEE versionCheck Version:
dmesg | grep -i optee || cat /proc/device-tree/firmware/optee/version 2>/dev/nullVerify Fix Applied:
Verify OPTEE-OS version is 3.14.0 or later and check that CSU driver security configurations are properly set📡 Detection & Monitoring
Log Indicators:
- Unusual DMA peripheral access attempts
- Secure world memory access violations
- OPTEE initialization failures
Network Indicators:
- Unexpected device reboots or resets
- Anomalous peripheral communication patterns
SIEM Query:
source="kernel" AND ("OP-TEE" OR "TrustZone") AND ("error" OR "violation" OR "access denied")