Incomplete verification of installation file signature
CVE-2022-43703

7.8HIGH

Key Information:

Vendor: Arm Ltd
Status: Arm Compiler 5 (ac5), Arm Compiler For Embedded 6 (ac6), Fast Models (fm), Arm Compiler For Embedded Fusa (acef), Arm Development Studio (ads), Arm Forge (af), Arm Mobile Studio (ams), Ds-5 Development Studio, Fast Models (fm), Gnu Toolchain (gt), Keil Mdk (kmdk), Mbed Studio (ms)
Vendor: CVE Published:; 27 July 2023

Summary

This vulnerability occurs when installers for ARM and Intel products utilize an unconstrained search path for file loading and execution. This allows an attacker to manipulate the path to substitute malicious files in place of legitimate ones, potentially leading to unauthorized execution of arbitrary code. It is crucial for users and developers to ensure that their systems validate file paths to prevent exploitation.

Affected Version(s)

Arm Compiler 5 (AC5), Arm Compiler for Embedded 6 (AC6), Fast Models (FM), Arm Compiler for Embedded FuSA (ACEF), Arm Development Studio (ADS), Arm Forge (AF), Arm Mobile Studio (AMS), DS-5 Development Studio, Fast Models (FM), GNU Toolchain (GT), Keil MDK (KMDK), Mbed Studio (MS) AC5 All Releases, AC6 Releases prior to 6.20, ACEF All Releases, ADS All Releases, AF Releases prior to 22.1, AMS All releases, DS5 All Releases, FM All Releases, GT All Releases, KMDK All Releases, MS All Releases

References

https://developer.arm.com/documentation/ka005596/latest

https://www.intel.com/content/www/us/en/security-center/a...

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 27, 2023
Vulnerability Reserved
Oct 24, 2022

Credit

FalconCorruption

Intel