CVE-2020-8935

Vulnerability

An arbitrary memory overwrite vulnerability exists in Google's Asylo library versions up to 0.6.0. The vulnerability occurs in the Ecall_restore function, which can be used to reallocate untrusted code and overwrite sections of enclave memory. Specifically, the enc_untrusted_realloc function did not verify that the returned pointer points to untrusted (outside enclave) memory, allowing an attacker to manipulate the reallocation and overwrite enclave memory [1].

Exploitation

To exploit this vulnerability, an attacker must be able to make an Ecall_restore function call from untrusted code. The attacker can provide a malicious pointer that, when reallocated, overwrites enclave memory. No authentication is required if the attacker can execute untrusted code on the same system [1].

Impact

Successful exploitation allows an attacker to perform an arbitrary memory overwrite within the enclave. This can lead to information disclosure, modification of enclave data, or potentially arbitrary code execution within the trusted execution environment [1].

Mitigation

The issue was fixed in commit ed0926b, which adds a check to ensure that the result of enc_untrusted_realloc is outside the enclave before returning it. Users should update their Asylo library to a version that includes this fix. The official repository has been archived, so users should ensure they are using a patched version or apply the patch manually [1].