Due to length check, an attacker with privilege access on a Linux Nonsecure operating system can trigger a vulnerability and leak the secure memory from the Trusted Application
The bug involves improper verification of data length (lack of adequate size checking — CWE-125, out-of-bounds read). An attacker with privileged access to an unsecured Linux operating system (so-called Normal World) can craft an appropriate request that exceeds the assumed buffer boundaries. This results in reading data from memory allocated to a Trusted Application running in a secure enclave (e.g., TrustZone), thereby bypassing the isolation between the unsecured and secured environment.
An attacker can gain access to sensitive data stored in a secure enclave (Trusted Application), which may lead to disclosure of cryptographic keys, credentials, or other sensitive information. In the context of the CVSS vector, complete compromise of system confidentiality, integrity, and availability is possible.
Patches available from the manufacturer should be applied according to the references (https://support.google.com/product-documentation/answer/14580222). Urgent firmware updates of all mentioned Google Nest Wifi devices to the version indicated by Google are recommended.
Google Nest Wifi Pro Firmware, Google Nest Wifi Pro, Google Nest Wifi Point Firmware, Google Nest Wifi Point, Google Nest Wifi Router Firmware — specific versions indicated in the manufacturer's references
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HGoogle Nest Wifi Point
HWGooglewszystkie wersjeGoogle Nest Wifi Point Firmware
OSGoogle24r1Google Nest Wifi Pro
HWGooglewszystkie wersjeGoogle Nest Wifi Pro Firmware
OSGoogle24r1Google Nest Wifi Router
HWGooglewszystkie wersjeGoogle Nest Wifi Router Firmware
OSGoogle24r1
Related vulnerabilities
Google Nest WiFi Pro – zdalne wykonanie kodu z uprawnieniami root i kompromitacja danych
There exists an authentication bypass vulnerability in OpenThread border router devices and implementations. T...
U-Boot environment is read from unauthenticated partition.
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty
Type confusion w V8 (Google Chrome/Edge) umożliwiający heap corruption