Vulnerability identifier: #VU45854
Vulnerability risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-119
Exploitation vector: Network
Exploit availability: No
Vendor: Google
Description
The vulnerability allows a remote authenticated user to #BASIC_IMPACT#.
An arbitrary memory overwrite vulnerability in the trusted memory of Asylo exists in versions prior to 0.6.0. As the ecall_restore function fails to validate the range of the output_len pointer, an attacker can manipulate the tmp_output_len value and write to an arbitrary location in the trusted (enclave) memory. We recommend updating Asylo to version 0.6.0 or later.
Mitigation
Install update from vendor's website.
Vulnerable software versions
asylo: 0.2.0 - 0.5.3
External links
http://github.com/google/asylo/commit/e582f36ac49ee11a21d23ad6a30c333092e0a94e
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.