Arbitrary enclave memory overread vulnerability in Asylo TrustedPrimitives::UntrustedCall

Vulnerability

A race condition exists in the ASylo enclave framework (versions prior to 0.6.2) in the TrustedPrimitives::UntrustedCall function within asylo/platform/primitives/sgx. The function copies data from an output buffer pointed to by sgx_params->output to output->Deserialize(), but the bounds check (IsOutsideEnclave) and the subsequent use of the pointer are not atomic. An attacker could modify sgx_params->output between the check and the copy, causing trusted memory to be treated as untrusted output and then copied into the enclave [1]. The fix stores the output pointer locally before the check and uses that local copy for the copy operation [1].

Exploitation

An attacker needs to be able to trigger the UntrustedCall sequence within an enclave that uses the vulnerable ASylo library. The attacker must also be able to modify the untrusted memory region pointed to by sgx_params->output concurrently (a race window). No special authentication is required beyond the ability to execute code in the enclave's host environment [1]. The attacker exploits the race by changing the pointer from an untrusted region to a trusted memory region after the IsOutsideEnclave check passes but before the Deserialize call reads from it.

Impact

Successful exploitation allows an attacker to cause the enclave to read memory from a trusted region (intended only for the enclave) and then copy that data to the untrusted output buffer. This results in unauthorized disclosure of sensitive enclave memory to the attacker [1]. The impact is a violation of enclave confidentiality (information disclosure) [1].

Mitigation

The vulnerability is fixed in ASylo version 0.6.2 and in the git commit 53ed5d8fd8118ced1466e509606dd2f473707a5c [1]. Users should update to the fixed version. Since the ASylo repository is now archived and read-only, no further updates are expected, but the patch commit is available for reference [1].