CVE-2022-46152 is a vulnerability in the OP-TEE Trusted OS (optee_os), which is the secure side implementation of the OP-TEE project, a Trusted Execution Environment (TEE) widely used in embedded and mobile devices to provide a secure execution environment isolated from the normal operating system. The vulnerability exists in versions prior to 3.19.0 and is classified as CWE-129: Improper Validation of Array Index. Specifically, the function cleanup_shm_refs(), which is invoked by entry_invoke_command() and entry_open_session(), fails to properly validate the num_params argument. This argument is expected to be limited to OPTEE_MSG_MAX_NUM_PARAMS (127), but the function does not enforce this limit. The commands OPTEE_MSG_CMD_OPEN_SESSION and OPTEE_MSG_CMD_INVOKE_COMMAND can be triggered from the normal world via Secure Monitor Calls (SMCs). An attacker with permission to execute SMC instructions from the normal world can craft a malicious SMC call with an out-of-bounds num_params value, causing cleanup_shm_refs() to perform out-of-bounds reads and potentially free fake objects in the mobj_put() function. This improper memory handling can lead to memory corruption within the secure world, enabling a local privilege escalation attack from the normal world to the secure world. The vulnerability does not require user interaction but does require the attacker to have the ability to execute SMC instructions, which is typically restricted but possible in some threat models. The issue was fixed in version 3.19.0 of optee_os. There are no known workarounds, and no known exploits have been reported in the wild to date.

The primary impact of this vulnerability is a local privilege escalation from the normal world to the secure world within devices using vulnerable versions of optee_os. Successful exploitation could allow an attacker to compromise the secure environment, potentially exposing sensitive cryptographic keys, secure storage, or trusted applications running in the TEE. For European organizations, this could have significant consequences, especially for industries relying on secure hardware platforms such as telecommunications, automotive, finance, and critical infrastructure. Compromise of the TEE could undermine device integrity, enable unauthorized access to secure credentials, and facilitate further attacks on the device or network. Given that OP-TEE is commonly used in ARM-based embedded systems and mobile devices, organizations deploying such hardware in Europe could face risks of data breaches, intellectual property theft, or disruption of secure services. Although exploitation requires local access and the ability to execute SMC instructions, insider threats or malware with elevated privileges could leverage this vulnerability. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits over time.

To mitigate this vulnerability, organizations should prioritize upgrading optee_os to version 3.19.0 or later, where the issue is fixed. Since no workarounds exist, patching is the only effective remediation. Additionally, organizations should: 1) Restrict and monitor access to the normal world components that can execute SMC instructions, limiting the ability of untrusted code to invoke OP-TEE commands. 2) Implement strict code integrity and runtime protections on the normal world OS to prevent unauthorized code execution that could exploit this vulnerability. 3) Employ hardware-based security features such as ARM TrustZone configuration best practices to minimize the attack surface. 4) Conduct regular security audits and penetration testing focusing on TEE interfaces and SMC call handling. 5) For device manufacturers and integrators, ensure secure boot and firmware validation mechanisms are in place to prevent tampering with optee_os or related components. 6) Monitor vendor advisories and threat intelligence feeds for any emerging exploits targeting this vulnerability to respond promptly.