CVE-2021-27562

What is Arm Trusted Firmware-M?

Arm Trusted Firmware-M (TF-M) is the reference implementation of the Arm Platform Security Architecture (PSA) for Cortex-M microcontrollers. It provides a Secure Processing Environment (SPE) that runs security-sensitive code (such as key management, attestation, and cryptographic operations) in isolation from the Non-Secure Processing Environment (NSPE) where normal application code runs. TrustZone for Cortex-M hardware enforces this boundary — the SPE can access secure memory regions that the NSPE cannot. The TF-M NSPE handler is the interface that manages transitions between the secure and non-secure worlds. Vulnerabilities in this handler that allow NSPE code to trigger out-of-bounds writes can compromise the security boundary that TrustZone is designed to enforce, potentially allowing non-secure world code to corrupt secure data or halt the secure world.

Overview

CVE-2021-27562 is an out-of-bounds write vulnerability (CWE-787) in Arm Trusted Firmware-M's non-secure processing environment (NSPE) handler mode. When non-secure world code calls secure functions, improper bounds checking in the handler allows the non-secure world to write out of bounds, potentially triggering a system halt, overwriting secure data, or exposing secure data to the non-secure world. The vulnerability specifically affects Yealink Device Management servers in the context of CISA's KEV listing — Yealink's IP phone management platform uses embedded Arm Cortex-M processors running TF-M, and exploitation was observed in attacks against enterprise unified communications infrastructure.

Affected Versions

Technical Details

• Root cause: Out-of-bounds write (CWE-787) in TF-M's NSPE handler — when the non-secure world invokes secure functions via the Secure Monitor Call (SVC/NSC gateway), the handler does not adequately validate the parameters or boundaries of the operation; a specially crafted function call from non-secure code can trigger a write beyond the intended buffer
• Impact on TrustZone boundary: The OOB write can: (1) trigger a system halt (A:H — the primary CVSS impact) by corrupting secure world state causing a fault, (2) overwrite secure memory regions containing cryptographic keys or attestation data (potential I/C impact not fully reflected in CVSS), or (3) cause secure data to be inadvertently exposed to the non-secure world through corrupted data structures
• NSPE exploitation context: In Yealink's deployment, the non-secure world hosts the device management application that communicates with Yealink's cloud management platform; a compromised device management channel can deliver crafted parameters to the secure function calls, triggering the OOB write
• Supply chain significance: Embedded TF-M vulnerabilities affect all downstream products built on the affected firmware version — patching requires firmware updates from each device vendor, not just from Arm; this creates a patch lag between Arm's advisory and actual device remediation
• CVSS AV:L: The vulnerability requires local code execution in the non-secure world; in Yealink device contexts, this is achieved via the device management interface or remote device management protocol

Discovery

Arm published security advisory TFM-2021-01 on April 7, 2021, documenting and patching CVE-2021-27562 in Trusted Firmware-M. CISA's November 2021 KEV addition reflects observed exploitation specifically targeting Yealink Device Management infrastructure — a product category (enterprise VoIP/UC management) present in federal and enterprise environments.

Exploitation Context

Arm Trusted Firmware-M vulnerabilities are relevant where embedded IoT and enterprise communication devices use TrustZone-based security for key storage and device attestation. Yealink is one of the largest enterprise IP phone vendors globally, with significant deployment in government and enterprise networks. Attacks targeting Yealink device management infrastructure can affect the integrity of unified communications equipment at scale. CVE-2021-27562's ability to halt devices or corrupt secure storage makes it usable for both disruption (DoS by crashing firmware) and persistence (overwriting attestation keys to undermine device integrity verification).

Remediation

1. Apply Yealink firmware updates that incorporate the TFM-2021-01 patch for CVE-2021-27562 — contact Yealink support or check Yealink's security advisories for affected device models
2. Apply Arm Trusted Firmware-M TFM-2021-01 patch for any custom embedded products built on TF-M — upgrade to TF-M 1.3.0 or later
3. Isolate Yealink Device Management servers from untrusted networks — restrict management interface access to authorized administrator workstations only
4. Disable remote device management access from external/internet networks if not required
5. Monitor Yealink device management logs for unexpected firmware update attempts or device configuration changes
6. Inventory all embedded devices using Arm Cortex-M TrustZone and TF-M in the environment; prioritize firmware updates for devices accessible from managed networks