Unchecked buffer overrun in enc_untrusted_recvmsg

Vulnerability

Asylo versions up to 0.6.0 contain an arbitrary memory read vulnerability in the enc_untrusted_recvmsg function. When an untrusted attacker makes a call to this function with a controlled result parameter, the size of the result is not properly checked against the allocated buffer. This allows reading memory beyond the intended buffer boundary [1]. The vulnerable code is in asylo/platform/host_call/trusted/host_calls.cc at line 822 where the result is returned without validation against total_buffer_size [1].

Exploitation

An attacker needs to be able to make a call to enc_untrusted_recvmsg from an untrusted context, controlling the result parameter. By crafting a call where the result size exceeds the buffer size, the attacker can read arbitrary memory. No special privileges beyond untrusted user-level access are required; the vulnerability lies in the missing bounds check [1].

Impact

Successful exploitation allows an untrusted attacker to read arbitrary memory locations, including memory addresses within the secure enclave. This directly leads to information disclosure of sensitive data that should be protected by the enclave boundary [1].

Mitigation

Asylo is now archived and read-only. The fix was committed in commit fa6485c5d16a7355eab047d4a44345a73bc9131e, which adds a check that aborts if result > total_buffer_size [1]. Users should upgrade to a version containing this commit or apply the patch manually. No CISA KEV listing was identified.