MidnightBSD

Advisories for nxp

CVE-2017-7932 MEDIUM

An improper certificate validation issue was discovered in NXP i.MX 28 i.MX 50, i.MX 53, i.MX 7Solo i.MX 7Dual Vybrid VF3xx, Vybrid VF5xx, Vybrid VF6xx, i.MX 6ULL, i.MX 6UltraLite, i.MX 6SoloLite, i.MX 6Solo, i.MX 6DualLite, i.MX 6SoloX, i.MX 6Dual, i.MX 6Quad, i.MX 6DualPlus, and i.MX 6QuadPlus. When the device is configured in security enabled configuration, under certain conditions it is possible to bypass the signature verification by using a specially crafted certificate leading to the execution of an unsigned image.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-295,CWE-295,

Products Affected

Vendor Product Version
nxp vybrid_mvf60nn151cmk40_firmware -
nxp vybrid_mvf60ns151cmk50_firmware -
nxp vybrid_mvf60ns151cmk40_firmware -
nxp i.mx_6sololite_firmware -
nxp vybrid_mvf61ns151cmk50_firmware -
nxp vybrid_mvf51ns151cmk50_firmware -
nxp i.mx_6quadplus_firmware -
nxp i.mx_7solo_firmware -
nxp i.mx_6dual_firmware -
nxp i.mx_6ull_firmware -
nxp i.mx_6solox_firmware -
nxp vybrid_mvf60nn151cmk50_firmware -
nxp i.mx_6quad_firmware -
nxp vybrid_mvf50ns151cmk50_firmware -
nxp vybrid_mvf61nn151cmk50_firmware -
nxp i.mx_50_firmware -
nxp i.mx_28_firmware -
nxp i.mx_6dualplus_firmware -
nxp vybrid_mvf50nn151cmk40_firmware -
nxp vybrid_mvf30ns151cku26_firmware -
nxp i.mx_6duallite_firmware -
nxp vybrid_mvf50ns151cmk40_firmware -
nxp i.mx_53_firmware -
nxp i.mx_6solo_firmware -
nxp vybrid_mvf50nn151cmk50_firmware -
nxp vybrid_mvf30nn151cku26_firmware -
nxp vybrid_mvf51nn151cmk50_firmware -
nxp vybrid_mvf62nn151cmk40_firmware -
nxp i.mx_6ultralite_firmware -
nxp i.mx_7dual_firmware -
CVE-2017-7936 MEDIUM

A stack-based buffer overflow issue was discovered in NXP i.MX 50, i.MX 53, i.MX 6ULL, i.MX 6UltraLite, i.MX 6SoloLite, i.MX 6Solo, i.MX 6DualLite, i.MX 6SoloX, i.MX 6Dual, i.MX 6Quad, i.MX 6DualPlus, i.MX 6QuadPlus, Vybrid VF3xx, Vybrid VF5xx, and Vybrid VF6xx. When the device is configured in security enabled configuration, SDP could be used to download a small section of code to an unprotected region of memory.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-121,CWE-119,

Products Affected

Vendor Product Version
nxp vybrid_mvf60nn151cmk40_firmware -
nxp vybrid_mvf60ns151cmk50_firmware -
nxp vybrid_mvf60ns151cmk40_firmware -
nxp i.mx_6sololite_firmware -
nxp vybrid_mvf61ns151cmk50_firmware -
nxp vybrid_mvf51ns151cmk50_firmware -
nxp i.mx_6quadplus_firmware -
nxp i.mx_6dual_firmware -
nxp i.mx_6ull_firmware -
nxp i.mx_6solox_firmware -
nxp vybrid_mvf60nn151cmk50_firmware -
nxp i.mx_6quad_firmware -
nxp vybrid_mvf50ns151cmk50_firmware -
nxp vybrid_mvf61nn151cmk50_firmware -
nxp i.mx_50_firmware -
nxp i.mx_6dualplus_firmware -
nxp vybrid_mvf50nn151cmk40_firmware -
nxp vybrid_mvf30ns151cku26_firmware -
nxp i.mx_6duallite_firmware -
nxp vybrid_mvf50ns151cmk40_firmware -
nxp i.mx_53_firmware -
nxp i.mx_6solo_firmware -
nxp vybrid_mvf50nn151cmk50_firmware -
nxp vybrid_mvf30nn151cku26_firmware -
nxp vybrid_mvf51nn151cmk50_firmware -
nxp vybrid_mvf62nn151cmk40_firmware -
nxp i.mx_6ultralite_firmware -
CVE-2019-14237 HIGH

On NXP Kinetis KV1x, Kinetis KV3x, and Kinetis K8x devices, Flash Access Controls (FAC) (a software IP protection method for execute-only access) can be defeated by observing CPU registers and the effect of code/instruction execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-863,

Products Affected

Vendor Product Version
nxp kinetis_kv3x_firmware -
nxp kinetis_k8x_firmware -
nxp kinetis_kv1x_firmware -
CVE-2019-14239 MEDIUM

On NXP Kinetis KV1x, Kinetis KV3x, and Kinetis K8x devices, Flash Access Controls (FAC) (a software IP protection method for execute-only access) can be defeated by leveraging a load instruction inside the execute-only region to expose the protected code into a CPU register.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.6 MEDIUM CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 0.7 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,

Products Affected

Vendor Product Version
nxp kinetis_kv3x_firmware -
nxp kinetis_k8x_firmware -
nxp kinetis_kv1x_firmware -
CVE-2019-17060 MEDIUM

The Bluetooth Low Energy (BLE) stack implementation on the NXP KW41Z (based on the MCUXpresso SDK with Bluetooth Low Energy Driver 2.2.1 and earlier) does not properly restrict the BLE Link Layer header and executes certain memory contents upon receiving a packet with a Link Layer ID (LLID) equal to zero. This allows attackers within radio range to cause deadlocks, cause anomalous behavior in the BLE state machine, or trigger a buffer overflow via a crafted BLE Link Layer frame.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-120,

Products Affected

Vendor Product Version
nxp mcuxpresso_software_development_kit *
CVE-2019-17519 MEDIUM

The Bluetooth Low Energy implementation on NXP SDK through 2.2.1 for KW41Z devices does not properly restrict the Link Layer payload length, allowing attackers in radio range to cause a buffer overflow via a crafted packet.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-120,

Products Affected

Vendor Product Version
nxp mcuxpresso_software_development_kit *
CVE-2021-22680 HIGH

NXP MQX Versions 5.1 and prior are vulnerable to integer overflow in mem_alloc, _lwmem_alloc and _partition functions. This unverified memory assignment can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ics-cert@hq.dhs.gov 7.3 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 3.9 3.4
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,

Products Affected

Vendor Product Version
nxp mqx *
CVE-2021-27421 HIGH

NXP MCUXpresso SDK versions prior to 2.8.2 are vulnerable to integer overflow in SDK_Malloc function, which could allow to access memory locations outside the bounds of a specified array, leading to unexpected behavior such segmentation fault when assigning a particular block of memory from the heap via malloc.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ics-cert@hq.dhs.gov 7.3 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 3.9 3.4
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,

Products Affected

Vendor Product Version
nxp mcuxpresso_software_development_kit *
CVE-2021-3011 LOW

An electromagnetic-wave side-channel issue was discovered on NXP SmartMX / P5x security microcontrollers and A7x secure authentication microcontrollers, with CryptoLib through v2.9. It allows attackers to extract the ECDSA private key after extensive physical access (and consequently produce a clone). This was demonstrated on the Google Titan Security Key, based on an NXP A7005a chip. Other FIDO U2F security keys are also impacted (Yubico YubiKey Neo and Feitian K9, K13, K21, and K40) as well as several NXP JavaCard smartcards (J3A081, J2A081, J3A041, J3D145_M59, J2D145_M59, J3D120_M60, J3D082_M60, J2D120_M60, J2D082_M60, J3D081_M59, J2D081_M59, J3D081_M61, J2D081_M61, J3D081_M59_DF, J3D081_M61_DF, J3E081_M64, J3E081_M66, J2E081_M64, J3E041_M66, J3E016_M66, J3E016_M64, J3E041_M64, J3E145_M64, J3E120_M65, J3E082_M65, J2E145_M64, J2E120_M65, J2E082_M65, J3E081_M64_DF, J3E081_M66_DF, J3E041_M66_DF, J3E016_M66_DF, J3E041_M64_DF, and J3E016_M64_DF).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.2 MEDIUM CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 0.5 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-670,

Products Affected

Vendor Product Version
ftsafe k21 -
google titan_security_key -
nxp j3e145_m64 -
nxp j3d081_m59 -
nxp j3d081_m61_df -
nxp j2d082_m60 -
nxp j2e082_m65 -
nxp j3e120_m65 -
nxp j3e016_m64_df -
nxp j3e016_m66 -
nxp p5020 -
nxp j3e041_m66 -
ftsafe k13 -
nxp j3d145_m59 -
nxp j2d120_m60 -
nxp a7005a -
nxp j3d120_m60 -
yubico yubikey_neo -
nxp j2e145_m64 -
nxp j2a081 -
ftsafe k9 -
nxp j3e016_m64 -
nxp j3d081_m61 -
nxp p5040 -
nxp p5010 -
nxp j3e081_m64 -
nxp j3e081_m66_df -
nxp j3e081_m66 -
nxp j3d082_m60 -
nxp j3e016_m66_df -
nxp j3e041_m66_df -
nxp j3e081_m64_df -
ftsafe k40 -
nxp j3d081_m59_df -
nxp 3a081 -
nxp j2d081_m61 -
nxp j2e120_m65 -
nxp j3e082_m65 -
nxp j2d081_m59 -
nxp j2e081_m64 -
nxp p5021 -
nxp j2d145_m59 -
nxp j3e041_m64 -
nxp j3a041 -
nxp j3e041_m64_df -
CVE-2021-31532 MEDIUM

NXP LPC55S6x microcontrollers (0A and 1B), i.MX RT500 (silicon rev B1 and B2), i.MX RT600 (silicon rev A0, B0), LPC55S6x, LPC55S2x, LPC552x (silicon rev 0A, 1B), LPC55S1x, LPC551x (silicon rev 0A) and LPC55S0x, LPC550x (silicon rev 0A) include an undocumented ROM patch peripheral that allows unsigned, non-persistent modification of the internal ROM.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.8 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 0.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
nxp lpc55s14jbd100_firmware -
nxp lpc55s16jev98_firmware -
nxp lpc55s26_firmware -
nxp lpcs66jbd64_firmware -
nxp lpc55s69jbd64_firmware -
nxp lpc55s66jbd100_firmware -
nxp lpc55s28_firmware -
nxp lpc5516jbd100_firmware -
nxp lpc5516jbd64_firmware -
nxp lpc5514jbd100_firmware -
nxp lpc55s16jbd64_firmware -
nxp i.mx_rt500_firmware -
nxp lpc5526_firmware -
nxp lpc55s14jbd64_firmware -
nxp lpc5528_firmware -
nxp lpc5512jbd64_firmware -
nxp lpc55s69jev98_firmware -
nxp lpc5514jbd64_firmware -
nxp lpc55s16jbd100_firmware -
nxp lpcs66jev98_firmware -
nxp i.mx_rt600_firmware -
nxp lpc5516jev98_firmware -
nxp lpc55s69jbd100_firmware -
nxp lpc5512jbd100_firmware -
CVE-2021-33881 LOW

On NXP MIFARE Ultralight and NTAG cards, an attacker can interrupt a write operation (aka conduct a "tear off" attack) over RFID to bypass a Monotonic Counter protection mechanism. The impact depends on how the anti tear-off feature is used in specific applications such as public transportation, physical access control, etc.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.2 MEDIUM CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N 0.5 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-863,

Products Affected

Vendor Product Version
nxp ntag_212_firmware -
nxp ntag_216_firmware -
nxp ntag_215_firmware -
nxp mifare_ultralight_ev1_firmware -
nxp ntag_210_firmware -
nxp ntag_213_firmware -
nxp mifare_ultralight_c_firmware -
nxp mifare_ultralight_nano_firmware -
CVE-2021-38258 MEDIUM

NXP MCUXpresso SDK v2.7.0 was discovered to contain a buffer overflow in the function USB_HostProcessCallback().

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-120,

Products Affected

Vendor Product Version
nxp mcuxpresso_software_development_kit 2.7.0
CVE-2021-38260 MEDIUM

NXP MCUXpresso SDK v2.7.0 was discovered to contain a buffer overflow in the function USB_HostParseDeviceConfigurationDescriptor().

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-120,

Products Affected

Vendor Product Version
nxp mcuxpresso_software_development_kit 2.7.0
CVE-2021-40154 LOW

NXP LPC55S69 devices before A3 have a buffer over-read via a crafted wlength value in a GET Descriptor Configuration request during use of USB In-System Programming (ISP) mode. This discloses protected flash memory.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6
cve@mitre.org 6.1 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L 1.8 4.2

CVSS 2.0

Severity: LOW

Problem Type: CWE-125,

Products Affected

Vendor Product Version
nxp lpc55s69jev98_firmware -
nxp lpc55s69jbd100_firmware -
nxp lpc55s69jbd64_firmware -
CVE-2021-44479 LOW

NXP Kinetis K82 devices have a buffer over-read via a crafted wlength value in a GET Status-Other request during use of USB In-System Programming (ISP) mode. This discloses protected flash memory.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 6.1 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L 1.8 4.2
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-125,

Products Affected

Vendor Product Version
nxp kinetis_k82_firmware -
CVE-2022-22819 MEDIUM

NXP LPC55S66JBD64, LPC55S66JBD100, LPC55S66JEV98, LPC55S69JBD64, LPC55S69JBD100, and LPC55S69JEV98 microcontrollers (ROM version 1B) have a buffer overflow in parsing SB2 updates before the signature is verified. This can allow an attacker to achieve non-persistent code execution via a crafted unsigned update.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-120,

Products Affected

Vendor Product Version
nxp lpc55s66jev98_firmware -
nxp lpc55s69jev98_firmware -
nxp lpc55s69jbd100_firmware -
nxp lpc55s69jbd64_firmware -
nxp lpc55s66jbd100_firmware -
nxp lpc55s66jbd64_firmware -
CVE-2022-45163

An information-disclosure vulnerability exists on select NXP devices when configured in Serial Download Protocol (SDP) mode: i.MX RT 1010, i.MX RT 1015, i.MX RT 1020, i.MX RT 1050, i.MX RT 1060, i.MX 6 Family, i.MX 7Dual/Solo, i.MX 7ULP, i.MX 8M Quad, i.MX 8M Mini, and Vybrid. In a device security-enabled configuration, memory contents could potentially leak to physically proximate attackers via the respective SDP port in cold and warm boot attacks. (The recommended mitigation is to completely disable the SDP mode by programming a one-time programmable eFUSE. Customers can contact NXP for additional information.)

Products Affected

Vendor Product Version
nxp i.mx_rt1010_firmware -
nxp i.mx_8m_quad_firmware -
nxp i.mx_6ulz_firmware -
nxp i.mx_6_firmware -
nxp i.mx_6dualplus_firmware -
nxp i.mx_rt1060_firmware -
nxp i.mx_rt1015_firmware -
nxp i.mx_6sololite_firmware -
nxp i.mx_8m_mini_firmware -
nxp i.mx_6duallite_firmware -
nxp i.mx_6quadplus_firmware -
nxp i.mx_8m_vybrid_firmware -
nxp i.mx_6solo_firmware -
nxp i.mx_7solo_firmware -
nxp i.mx_6dual_firmware -
nxp i.mx_6ull_firmware -
nxp i.mx_6solox_firmware -
nxp i.mx_7ulp_firmware -
nxp i.mx_rt1020_firmware -
nxp i.mx_6quad_firmware -
nxp i.mx_6ultralite_firmware -
nxp i.mx_7dual_firmware -
nxp i.mx_rt1050_firmware -
CVE-2023-39902

A software vulnerability has been identified in the U-Boot Secondary Program Loader (SPL) before 2023.07 on select NXP i.MX 8M family processors. Under certain conditions, a crafted Flattened Image Tree (FIT) format structure can be used to overwrite SPL memory, allowing unauthenticated software to execute on the target, leading to privilege escalation. This affects i.MX 8M, i.MX 8M Mini, i.MX 8M Nano, and i.MX 8M Plus.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9
cve@mitre.org 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

Products Affected

Vendor Product Version
nxp uboot_secondary_program_loader *