Untitled

mail@pastecode.io avatar
unknown
plain_text
a month ago
1.3 kB
3
Indexable
Never
DRK TA uses unmaintained parts of open-source library wpa_supplicant, specifically the files asn1.c and x509v3.c.
It's impossible to know the exact version of code being used as it was slightly patched and doesn't contain version tags. A detailed comparison with different libraries versions has shown that present files are based on an outdated version from 2012. Since that time multiple patches have been applied these files to address various issues, including security-related ones.

//CONFIDENTIAL/TRUSTEDAPPS/APPS/DeviceRootKey/MAIN/drkTee/src/crypto/x509/asn1.c

//CONFIDENTIAL/TRUSTEDAPPS/APPS/DeviceRootKey/MAIN/drkTee/src/crypto/x509/x509v3.c

It's hard to say if present wpa_supplicant code contains known CVEs, but there are 37 vulnerabilities on CVEDetails and some of them could be found in DRK TA.

The presence of unmaintained third-party code poses a significant risk to the security and stability of the program. Therefore, it is highly recommended to remove all outdated third-party code and replace it with either up-to-date versions of the same library or with alternative, well-maintained libraries that provide the same functionality like SCrypto.

This issue is similar to previously reported SSI-25566.

Remediation Update third party components or find secure replacement.
Leave a Comment