Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2021-36133
CVE-2021-36133:
Linux Debian vulnerability analysis and mitigation
Overview
The OPTEE-OS CSU driver for NXP i.MX SoC devices contains a critical security vulnerability that affects multiple NXP i.MX models. The vulnerability (CVE-2021-36133) was discovered in the Central Security Unit (CSU) driver implementation, which lacks proper security access configuration for several models, potentially resulting in a TrustZone bypass. The issue affects various NXP i.MX6 variants (including UL/ULL/ULZ, SL/SLL, SX), i.MX7 variants, and extends to i.MX8 targets in NXP's OP-TEE fork (F-Secure Advisory).
Technical details
The vulnerability stems from the CSU driver's implementation where it sets a Config Security Level (CSL) that grants NonSecure access to most i.MX peripherals, but fails to set the Security Access (SA) for several i.MX6 variants and i.MX7. This results in the CSU default Secure World access privilege being applied incorrectly. Additionally, the OP-TEE returns CSU initialization success on all SoC P/Ns without explicit configuration, extending the vulnerability to i.MX8 targets. The issue allows the Normal World to potentially access peripherals that can perform arbitrary memory read/write operations without proper security flagging (F-Secure Advisory).
Impact
The vulnerability results in no effective TrustZone isolation on affected devices, allowing the Normal World to arbitrarily read/write Secure World memory. This leads to a full compromise of the Trusted Execution Environment. The impact is particularly severe as it affects multiple NXP i.MX SoC variants and extends to additional supported i.MX8 SoC family in NXP's OP-TEE fork (F-Secure Advisory).
Mitigation and workarounds
Users of OP-TEE are advised to treat all OP-TEE supported platforms as insecure by default and carefully review their implementation before integration. NXP has indicated that customers/developers are responsible for implementing proper security configurations according to their specific needs, using the documentation available in the i.MX Security Reference Manual (F-Secure Advisory).
Community reactions
The OP-TEE project initially rated the vulnerability as high severity but later downgraded it to low severity after discussions with NXP. NXP acknowledged the security issue but maintained that they provide OP-TEE OS as enablement software rather than a product, and cannot provide a secure configuration that fits all customer needs (F-Secure Advisory).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management