Summary Last year we published research at Black Hat in which we disclosed multiple vulnerabilities in Huawei Kirin SoC’s DDR Controller (DMSS) Access Permission system which allowed some SoC cores or DMA-capable peripherals to directly access secure world memory and completely compromise the entire memory of the SoC. This advisory focuses on a new access permission vulnerability in the same DMSS. The vulnerability can be used to entirely compromise the Trusted Execution Environment from the Baseband. The vulnerability was fixed in February 2022. Vulnerability Details The peripheral DMA lives up to its name, as it is mainly used to interact between multiple communication peripherals (e.

Summary There is a vulnerability in the Huawei Kirin SoC’s DDR Controller (DMSS) Access Permission system which allows the baseband to bypass the Baseband’s MPU memory protections and circumvent RO and NX protections. The vulnerability was fixed in February 2022. Vulnerability Details CVE-2021-22430 is a vulnerability in the Huawei Kirin SoC’s basebands which allowed to circumvent MPU restrictions. The vulnerability in CVE-2021-22430 was that MPU configuration was restored from a writable table for sleep cycles and therefore overwriting the cached entries resulted in new settings taking effect. This worked because the implementation normally only wrote the table once (not every time the core went to sleep) but restored the MPU configuration from it every time it was woken up.

Summary Last year we published research at Black Hat in which we disclosed multiple vulnerabilities in Huawei Kirin SoC’s DDR Controller (DMSS) Access Permission system which allowed some SoC cores or DMA-capable peripherals to directly access secure world memory and completely compromise the entire memory of the SoC. This advisory focuses on a new access permission vulnerability in the same DMSS. The vulnerability can be used to entirely compromise the SoC platform runtime (including all cores running in Secure World) directly from the Baseband. The vulnerability was fixed in February 2022. Vulnerability Details This vulnerability is very similar to CVE-2021-39991 (“Huawei DMSS Memory Access Management Configuration Unathorized Rewrite Via Peripheral DMA”).

Summary Last year we published research at Black Hat in which we disclosed multiple vulnerabilities in Huawei Kirin SoC’s DDR Controller (DMSS) Access Permission system which allowed some SoC cores or DMA-capable peripherals to directly access secure world memory and completely compromise the entire memory of the SoC. This advisory focuses on a new access permission vulnerability in the same DMSS. The vulnerability can be used to entirely compromise the SoC platform runtime (including all cores running in Secure World) directly from the Baseband. The vulnerability was fixed in February 2022. Vulnerability Details This vulnerability is very similar to CVE-2021-37107 (“Huawei Peripheral DMA Memory Access Permission Bypass”).

Summary There is a vulnerability in the Huawei Kirin SoC’s DDR Controller (DMSS) Access Permission system which allows the Linux kernel to bypass memory access restrictions and directly compromise multiple privileged subsystems of the SoC. As demonstrated by CVE-2021-3710, CVE-2021-39991, CVE-2021-37115, and CVE-2021-39986, read and write of critical system memory, including secure memory regions, is possible via those subsystems. Therefore, this vulnerability combined with one of CVE-2021-3710, CVE-2021-39991, CVE-2021-37115, or CVE-2021-39986 results in a fully realized chain of elevation of privileges from a kernel-level write primitive to total control of the secure world (TEE). The vulnerability was fixed in February 2022.