CVE-2021-37115: Huawei DMSS Memory Access Management Configuration Unathorized Rewrite Via ASP DMA

Summary Last year we published research at Black Hat in which we disclosed multiple vulnerabilities in Huawei Kirin SoC’s DDR Controller (DMSS) Access Permission system which allowed some SoC cores or DMA-capable peripherals to directly access secure world memory and completely compromise the entire memory of the SoC. This advisory focuses on a new access permission vulnerability in the same DMSS. The vulnerability can be used to entirely compromise the SoC platform runtime (including all cores running in Secure World) directly from the Baseband. The vulnerability was fixed in February 2022. Vulnerability Details This vulnerability is very similar to CVE-2021-39991 (“Huawei DMSS Memory Access Management Configuration Unathorized Rewrite Via Peripheral DMA”).

CVE-2021-39986: Huawei Baseband Memory Access Permission Bypass And DMSS Memory Access Management Configuration Unathorized Rewrite Via LPMCU

Summary Last year we published research at Black Hat in which we disclosed multiple vulnerabilities in Huawei Kirin SoC’s DDR Controller (DMSS) Access Permission system which allowed some SoC cores or DMA-capable peripherals to directly access secure world memory and completely compromise the entire memory of the SoC. This advisory focuses on a new access permission vulnerability in the same DMSS. The vulnerability can be used to entirely compromise the SoC platform runtime (including all cores running in Secure World) directly from the Baseband. The vulnerability was fixed in February 2022. Vulnerability Details We have identified two related vulnerabilities related to the LPMSS subsystem of Huawei Kirin SoCs.

CVE-2021-39991: Huawei DMSS Memory Access Management Configuration Unathorized Rewrite Via Peripheral DMA

Summary Last year we published research at Black Hat in which we disclosed multiple vulnerabilities in Huawei Kirin SoC’s DDR Controller (DMSS) Access Permission system which allowed some SoC cores or DMA-capable peripherals to directly access secure world memory and completely compromise the entire memory of the SoC. This advisory focuses on a new access permission vulnerability in the same DMSS. The vulnerability can be used to entirely compromise the SoC platform runtime (including all cores running in Secure World) directly from the Baseband. The vulnerability was fixed in February 2022. Vulnerability Details This vulnerability is very similar to CVE-2021-37107 (“Huawei Peripheral DMA Memory Access Permission Bypass”).