CVE-2020-8904 MEDIUM

CVE-2020-8904: Arbitrary trusted memory overwrite vulnerability in Asylo

Vendor Google Llc
Product Asylo
Weakness CWE-823
Published August 12, 2020
Last update September 16, 2024

CVSS base score

6.4/10
Attack vector Local
Attack complexity High
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:H

What the vulnerability does

01Description

An arbitrary memory overwrite vulnerability in the trusted memory of Asylo exists in versions prior to 0.6.0. As the ecall_restore function fails to validate the range of the output_len pointer, an attacker can manipulate the tmp_output_len value and write to an arbitrary location in the trusted (enclave) memory. We recommend updating Asylo to version 0.6.0 or later.

Key dates

02Disclosure timeline

August 12, 2020 CVE published
September 16, 2024 Record updated