CVE-2024-38532

Published: Jun 28, 2024

Modified: Aug 2, 2024

PUBLISHED

CVSS v3.1

7.1

HIGH

Description

The NXP Data Co-Processor (DCP) is a built-in hardware module for specific NXP SoCs¹ that implements a dedicated AES cryptographic engine for encryption/decryption operations. The dcp_tool reference implementation included in the repository selected the test key, regardless of its `-t` argument. This issue has been patched in commit 26a7.

Vendor	Product	Versions
usbarmory	mxs-dcp	affected `>= commit 6151, < commit 26a7`

Weaknesses (CWE)

CWE-321

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

References

https://github.com/usbarmory/mxs-dcp/security/advisories/GHSA-g85c-rh49-p8cq

x_refsource_CONFIRM

https://github.com/usbarmory/mxs-dcp/commit/e5a99cb3d9429e6145495da7d01525c75af426a7

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-38532

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References