Lucene search

GoogleCVELIST:CVE-2020-8936

HistoryDec 15, 2020 - 2:55 p.m.

CVE-2020-8936 Arbitrary enclave memory overwrite vulnerability in ECall ecall_restore

2020-12-1514:55:33

CWE-125

Google

www.cve.org

5.3 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N

5.5 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

12.6%

JSON

An arbitrary memory overwrite vulnerability in Asylo versions up to 0.6.0 allows an attacker to make a host call to UntrustedCall. UntrustedCall failed to validate the buffer range within sgx_params and allowed the host to return a pointer that was an address within the enclave memory. This allowed an attacker to read memory values from within the enclave.

CNA Affected

[
  {
    "product": "Asylo",
    "vendor": "Google LLC",
    "versions": [
      {
        "lessThanOrEqual": "0.6.0",
        "status": "affected",
        "version": "0.6.0",
        "versionType": "custom"
      }
    ]
  }
]

References

github.com/google/asylo/commit/83036fd841d33baa7e039f842d131aa7881fdcc2

5.3 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N

5.5 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

12.6%

JSON

Related for CVELIST:CVE-2020-8936