Memory overread secure enclave in Asylo 0.6.2
CVE-2021-22552

5.3MEDIUM

Key Information:

Vendor: Google
Status: Asylo
Vendor: CVE Published:; 2 August 2021

Summary

An untrusted memory read vulnerability in Asylo versions up to 0.6.1 allows an untrusted attacker to pass a syscall number in MessageReader that is then used by sysno() and can bypass validation. This can allow the attacker to read memory from within the secure enclave. We recommend updating to Asylo 0.6.3 or past https://github.com/google/asylo/commit/90d7619e9dd99bcdb6cd28c7649d741d254d9a1a

Affected Version(s)

Asylo <= 0.6.2

References

https://github.com/google/asylo/commit/90d7619e9dd99bcdb6...

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 2, 2021
Vulnerability Reserved
Jan 5, 2021

Collectors

NVD DatabaseMitre Database

Credit

Qinkun Bao (Baidu Security)

Zhaofeng Chen (Baidu Security)

Mingshen Sun (Baidu Security)

Kang Li (Baidu Security)