At this page we will list of all known security vulnerabilities found on OP-TEE. Likewise you will find when it was fixed and who reported the issue.

If you have found a security issue in OP-TEE, please send us an email (see About) and then someone from the team will contact you for further discussion. The initial email doesn’t have to contain any details.

December 2016

RSA key leakage in modular exponentiation

Description

Applus+ Laboratories found out that OP-TEE is vulnerable to a timing attack when doing the Montgomery operations.

One way to optimize modular exponentiation is to make use of something called Montgomery multiplication and Montgomery reduction. OP-TEE implements the Montgomery operations in the big number library, libmpa. The current implementation uses a binary Left to Right (LtoR) implementation. The LtoR implementation is vulnerable to timing attacks since it leaks information about the exponent in use, because it uses different amount of time in each loop when doing the exponentiation. The leaked information can be used to completely recover the private key. One mitigation to this attack is to change the implementation to a constant time exponentiation algorithm instead of LtoR. One such algorithm is the so called Montgomery powering ladder, which does the same amount of operations in every loop. I.e., it will always do square and multiply in every loop. The fix (Montgomery ladder) for the timing attack has been implemented in:

optee_os.git:

Reported by CVE ID OP-TEE ID Affected versions
Applus+ Laboratories N/A OP-TEE-2016-0003 All versions prior to OP-TEE 2.5.0

Bellcore attack

Description

Applus+ Laboratories found out that OP-TEE is vulnerable to the Bellcore attack when using fault injection / glitching attack.

A common way to speed up RSA calculations is to use something that is called Chinese Remainder Theorem (CRT). This optimization is also used in LibTomCrypt which is currently the default software crypto library in OP-TEE. In short, when using CRT you are operating on the individual prime factors ‘p’ and ‘q’ separately and then later combine them to final result instead of just doing the exponentiation directly. However, this also means that if somethings goes wrong in the intermediate calculations with ‘p’ or ‘q’ it is possible to completely recover the private key if you also have access to a valid signature. I.e. it’s the combination of valid and invalid signature that makes it possible to recover the private key.

The important thing is to never ever return any incorrect signature back to the caller. LibTomCrypt already has mitigations for this. They have the flag LTC_RSA_CRT_HARDENING which enables code that checks that the signature indeed is valid before returning it to the user. Then there is also the flag LTC_RSA_BLINDING which mixes in another random prime number when doing the intermediate calculations. OP-TEE hasn’t had those flags enabled by default in the past and when enabling them there was some code missing related to random number generation for big number (mpanum). The fixes for this issue can be found in:

optee_os.git:

The fix can be found in OP-TEE starting from v2.5.0.

Reported by CVE ID OP-TEE ID Affected versions
Applus+ Laboratories N/A OP-TEE-2016-0002 All versions prior to OP-TEE 2.5.0

June 2016

Bleichenbacher signature forgery attack

Description

A vulnerability in the OP-TEE project was found by Intel Security Advanced Threat Research in June 2016. It appeared that OP-TEE was vulnerable to Bleichenbacher signature forgery attack.

The problem lies in the LibTomCrypt code in OP-TEE, that neglects to check that the message length is equal to the ASN.1 encoded data length. Upstream LibTomCrypt already had a fix and there was also a test case, verifying that the fix resolved the issue.

The fixes from upstream LibTomCrypt has been cherry-picked into OP-TEE. The fix for TEE core can be found upstream in this patch and a test case has been added to the test suite for OP-TEE and that can also be found upstream in this patch.

Reported by CVE ID OP-TEE ID Affected versions
Intel Security Advanced Threat Research CVE-2016-6129 OP-TEE-2016-0001 All versions prior to OP-TEE v2.2.0 (fixed in OP-TEE v2.2.0)

Supporting Companies


Linaro Member
Wind An Intel Company Member
Applus Laboratories Member