Vulnerability-Lookup

CVE-2020-8918 (GCVE-0-2020-8918)

Vulnerability from cvelistv5 – Published: 2020-08-11 18:35 – Updated: 2024-08-04 10:12

Title

TPM 1.2 key authorization values are vulnerable to a TPM transport eavesdropper

Summary

An improperly initialized 'migrationAuth' value in Google's go-tpm TPM1.2 library versions prior to 0.3.0 can lead an eavesdropping attacker to discover the auth value for a key created with CreateWrapKey. An attacker listening in on the channel can collect both 'encUsageAuth' and 'encMigrationAuth', and then can calculate 'usageAuth ^ encMigrationAuth' as the 'migrationAuth' can be guessed for all keys created with CreateWrapKey. TPM2.0 is not impacted by this. We recommend updating your library to 0.3.0 or later, or, if you cannot update, to call CreateWrapKey with a random 20-byte value for 'migrationAuth'.

Severity

6.3 (Medium)


                        
                          CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

CWE

CWE-665 - Improper Initialization

Assigner

Google

References

1 reference

URL	Tags
https://github.com/google/go-tpm/security/advisor…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
Google LLC	google/go-tpm library	Affected: stable , < 0.3.0 (custom)

Credits

Chris Fenner

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T10:12:11.062Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/google/go-tpm/security/advisories/GHSA-5x29-3hr9-6wpw"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "google/go-tpm library",
          "vendor": "Google LLC",
          "versions": [
            {
              "lessThan": "0.3.0",
              "status": "affected",
              "version": "stable",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Chris Fenner"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An improperly initialized \u0027migrationAuth\u0027 value in Google\u0027s go-tpm TPM1.2 library versions prior to 0.3.0 can lead an eavesdropping attacker to discover the auth value for a key created with CreateWrapKey. An attacker listening in on the channel can collect both \u0027encUsageAuth\u0027 and \u0027encMigrationAuth\u0027, and then can calculate \u0027usageAuth ^ encMigrationAuth\u0027 as the \u0027migrationAuth\u0027 can be guessed for all keys created with CreateWrapKey. TPM2.0 is not impacted by this. We recommend updating your library to 0.3.0 or later, or, if you cannot update, to call CreateWrapKey with a random 20-byte value for \u0027migrationAuth\u0027."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-665",
              "description": "CWE-665 Improper Initialization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-08-11T18:35:11.000Z",
        "orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
        "shortName": "Google"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/google/go-tpm/security/advisories/GHSA-5x29-3hr9-6wpw"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "TPM 1.2 key authorization values are vulnerable to a TPM transport eavesdropper",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@google.com",
          "ID": "CVE-2020-8918",
          "STATE": "PUBLIC",
          "TITLE": "TPM 1.2 key authorization values are vulnerable to a TPM transport eavesdropper"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "google/go-tpm library",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "stable",
                            "version_value": "0.3.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Google LLC"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Chris Fenner"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An improperly initialized \u0027migrationAuth\u0027 value in Google\u0027s go-tpm TPM1.2 library versions prior to 0.3.0 can lead an eavesdropping attacker to discover the auth value for a key created with CreateWrapKey. An attacker listening in on the channel can collect both \u0027encUsageAuth\u0027 and \u0027encMigrationAuth\u0027, and then can calculate \u0027usageAuth ^ encMigrationAuth\u0027 as the \u0027migrationAuth\u0027 can be guessed for all keys created with CreateWrapKey. TPM2.0 is not impacted by this. We recommend updating your library to 0.3.0 or later, or, if you cannot update, to call CreateWrapKey with a random 20-byte value for \u0027migrationAuth\u0027."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-665 Improper Initialization"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/google/go-tpm/security/advisories/GHSA-5x29-3hr9-6wpw",
              "refsource": "CONFIRM",
              "url": "https://github.com/google/go-tpm/security/advisories/GHSA-5x29-3hr9-6wpw"
            }
          ]
        },
        "source": {
          "discovery": "INTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
    "assignerShortName": "Google",
    "cveId": "CVE-2020-8918",
    "datePublished": "2020-08-11T18:35:11.000Z",
    "dateReserved": "2020-02-12T00:00:00.000Z",
    "dateUpdated": "2024-08-04T10:12:11.062Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2020-8918",
      "date": "2026-05-31",
      "epss": "0.00017",
      "percentile": "0.0419"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:google:go-tpm:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"0.3.0\", \"matchCriteriaId\": \"4C01295C-C049-40D7-AB0A-58BAEEC81283\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"An improperly initialized \u0027migrationAuth\u0027 value in Google\u0027s go-tpm TPM1.2 library versions prior to 0.3.0 can lead an eavesdropping attacker to discover the auth value for a key created with CreateWrapKey. An attacker listening in on the channel can collect both \u0027encUsageAuth\u0027 and \u0027encMigrationAuth\u0027, and then can calculate \u0027usageAuth ^ encMigrationAuth\u0027 as the \u0027migrationAuth\u0027 can be guessed for all keys created with CreateWrapKey. TPM2.0 is not impacted by this. We recommend updating your library to 0.3.0 or later, or, if you cannot update, to call CreateWrapKey with a random 20-byte value for \u0027migrationAuth\u0027.\"}, {\"lang\": \"es\", \"value\": \"Un valor de \\\"migrationAuth\\\" inicializado inapropiadamente en la biblioteca go-tpm TPM1.2 de Google versiones anteriores a 0.3.0, puede conllevar a un atacante que esp\\u00eda a detectar el valor de autenticaci\\u00f3n de una clave creada con CreateWrapKey. Un atacante que escucha en el canal puede recopilar \\\"encUsageAuth\\\" y \\\"encMigrationAuth\\\", y luego puede calcular \\\"useAuth ^ encMigrationAuth\\\" ya que se puede adivinar \\\"migrationAuth\\\" para todas las claves creadas con CreateWrapKey. TPM2.0 no est\\u00e1 afectado por esto. Recomendamos actualizar su biblioteca a la versi\\u00f3n 0.3.0 o posterior o, si no puede actualizar, llamar a CreateWrapKey con un valor aleatorio de 20 bytes para \\\"migrationAuth\\\"\"}]",
      "id": "CVE-2020-8918",
      "lastModified": "2024-11-21T05:39:40.920",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"cve-coordination@google.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N\", \"baseScore\": 6.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.0, \"impactScore\": 5.2}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\", \"baseScore\": 7.1, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 5.2}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:L/AC:L/Au:N/C:P/I:P/A:N\", \"baseScore\": 3.6, \"accessVector\": \"LOCAL\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"LOW\", \"exploitabilityScore\": 3.9, \"impactScore\": 4.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2020-08-11T19:15:17.547",
      "references": "[{\"url\": \"https://github.com/google/go-tpm/security/advisories/GHSA-5x29-3hr9-6wpw\", \"source\": \"cve-coordination@google.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/google/go-tpm/security/advisories/GHSA-5x29-3hr9-6wpw\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "cve-coordination@google.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"cve-coordination@google.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-665\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-665\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-8918\",\"sourceIdentifier\":\"cve-coordination@google.com\",\"published\":\"2020-08-11T19:15:17.547\",\"lastModified\":\"2024-11-21T05:39:40.920\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An improperly initialized \u0027migrationAuth\u0027 value in Google\u0027s go-tpm TPM1.2 library versions prior to 0.3.0 can lead an eavesdropping attacker to discover the auth value for a key created with CreateWrapKey. An attacker listening in on the channel can collect both \u0027encUsageAuth\u0027 and \u0027encMigrationAuth\u0027, and then can calculate \u0027usageAuth ^ encMigrationAuth\u0027 as the \u0027migrationAuth\u0027 can be guessed for all keys created with CreateWrapKey. TPM2.0 is not impacted by this. We recommend updating your library to 0.3.0 or later, or, if you cannot update, to call CreateWrapKey with a random 20-byte value for \u0027migrationAuth\u0027.\"},{\"lang\":\"es\",\"value\":\"Un valor de \\\"migrationAuth\\\" inicializado inapropiadamente en la biblioteca go-tpm TPM1.2 de Google versiones anteriores a 0.3.0, puede conllevar a un atacante que esp\u00eda a detectar el valor de autenticaci\u00f3n de una clave creada con CreateWrapKey. Un atacante que escucha en el canal puede recopilar \\\"encUsageAuth\\\" y \\\"encMigrationAuth\\\", y luego puede calcular \\\"useAuth ^ encMigrationAuth\\\" ya que se puede adivinar \\\"migrationAuth\\\" para todas las claves creadas con CreateWrapKey. TPM2.0 no est\u00e1 afectado por esto. Recomendamos actualizar su biblioteca a la versi\u00f3n 0.3.0 o posterior o, si no puede actualizar, llamar a CreateWrapKey con un valor aleatorio de 20 bytes para \\\"migrationAuth\\\"\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cve-coordination@google.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N\",\"baseScore\":6.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.0,\"impactScore\":5.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":5.2}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:L/Au:N/C:P/I:P/A:N\",\"baseScore\":3.6,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":3.9,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"cve-coordination@google.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-665\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-665\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:google:go-tpm:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.3.0\",\"matchCriteriaId\":\"4C01295C-C049-40D7-AB0A-58BAEEC81283\"}]}]}],\"references\":[{\"url\":\"https://github.com/google/go-tpm/security/advisories/GHSA-5x29-3hr9-6wpw\",\"source\":\"cve-coordination@google.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/google/go-tpm/security/advisories/GHSA-5x29-3hr9-6wpw\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}"
  }
}

FKIE_CVE-2020-8918

Vulnerability from fkie_nvd - Published: 2020-08-11 19:15 - Updated: 2024-11-21 05:39

Severity

6.3 (Medium) - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
7.1 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Summary

References

	URL	Tags
	cve-coordination@google.com	https://github.com/google/go-tpm/security/advisories/GHSA-5x29-3hr9-6wpw	Exploit, Third Party Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/google/go-tpm/security/advisories/GHSA-5x29-3hr9-6wpw	Exploit, Third Party Advisory

Impacted products

	Vendor	Product	Version
	google	go-tpm	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:google:go-tpm:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4C01295C-C049-40D7-AB0A-58BAEEC81283",
              "versionEndExcluding": "0.3.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An improperly initialized \u0027migrationAuth\u0027 value in Google\u0027s go-tpm TPM1.2 library versions prior to 0.3.0 can lead an eavesdropping attacker to discover the auth value for a key created with CreateWrapKey. An attacker listening in on the channel can collect both \u0027encUsageAuth\u0027 and \u0027encMigrationAuth\u0027, and then can calculate \u0027usageAuth ^ encMigrationAuth\u0027 as the \u0027migrationAuth\u0027 can be guessed for all keys created with CreateWrapKey. TPM2.0 is not impacted by this. We recommend updating your library to 0.3.0 or later, or, if you cannot update, to call CreateWrapKey with a random 20-byte value for \u0027migrationAuth\u0027."
    },
    {
      "lang": "es",
      "value": "Un valor de \"migrationAuth\" inicializado inapropiadamente en la biblioteca go-tpm TPM1.2 de Google versiones anteriores a 0.3.0, puede conllevar a un atacante que esp\u00eda a detectar el valor de autenticaci\u00f3n de una clave creada con CreateWrapKey. Un atacante que escucha en el canal puede recopilar \"encUsageAuth\" y \"encMigrationAuth\", y luego puede calcular \"useAuth ^ encMigrationAuth\" ya que se puede adivinar \"migrationAuth\" para todas las claves creadas con CreateWrapKey. TPM2.0 no est\u00e1 afectado por esto. Recomendamos actualizar su biblioteca a la versi\u00f3n 0.3.0 o posterior o, si no puede actualizar, llamar a CreateWrapKey con un valor aleatorio de 20 bytes para \"migrationAuth\""
    }
  ],
  "id": "CVE-2020-8918",
  "lastModified": "2024-11-21T05:39:40.920",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "LOCAL",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 3.6,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 4.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 6.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.0,
        "impactScore": 5.2,
        "source": "cve-coordination@google.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-08-11T19:15:17.547",
  "references": [
    {
      "source": "cve-coordination@google.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/google/go-tpm/security/advisories/GHSA-5x29-3hr9-6wpw"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/google/go-tpm/security/advisories/GHSA-5x29-3hr9-6wpw"
    }
  ],
  "sourceIdentifier": "cve-coordination@google.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-665"
        }
      ],
      "source": "cve-coordination@google.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-665"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-5X29-3HR9-6WPW

Vulnerability from github – Published: 2022-02-11 23:18 – Updated: 2023-08-29 21:08

Summary

TPM 1.2 key authorization values vulnerable to TPM transport eavesdropper in go-tpm

Details

Impact

TPM 2.0 users are unaffected by this issue.

An adversary eavesdropping on the TPM 1.2 transport path can calculate usageAuth for a key created with CreateWrapKey, even though this value is encrypted as part of the TPM 1.2 command protocol.

The TPM 1.2 CreateWrapKey command accepts two secrets: usageAuth and migrationAuth. The ADIP protocol (TPM 1.2 specification, part 1, section 13.4) calls for these values to be encrypted with two different XOR keys. Due to a bug in go-tpm prior to version 0.3.0, both usageAuth and migrationAuth are encrypted with the same XOR keystream. This allows an adversary to XOR encUsageAuth and encMigrationAuth together to calculate usageAuth ^ encMigrationAuth. Since migrationAuth is moot for all keys created with go-tpm's CreateWrapKey (since all keys created with this function are marked non-migratable), an adversary may guess or know (from code/binary inspection) that migrationAuth is all 0x00 bytes or some other fixed value. Such an adversary can then calculate usageAuth and use this value later to improperly use the created key, unbeknownst to the creator of the key.

Patches

Fixed in go-tpm version 0.3.0.

Workarounds

TPM 2.0 users: No workaround needed. This issue only affects TPM 1.2 users.
TPM 1.2 users: Call CreateWrapKey with a random 20-byte value for migrationAuth, even though that value is not used again (since CreateWrapKey creates keys that are non-migratable). Do not store or log this value.

Details

TPM 1.2 uses a protocol called ADIP (Authorization Data Insertion Protocol) to encrypt authorization values over-the-wire for newly created objects. This prevents a bus-snooping attack like those publicized by TPM Genie. TPM 2.0 makes this optional (the way to do it is with parameter-encryption sessions). You can read more about ADIP in section 13.4 of Part 1: Design Principles in the latest TPM 1.2 specification. Normally, ADIP consists of the following steps:

Key := SHA1(authSession.SharedSecret || a nonce)
Note: nonces and auth values in TPM 1.2 are always 20 bytes
EncAuth := XOR(Key, Auth)

When commands require one ADIP-encrypted auth value, the nonce is the last nonceEven (last nonce from the TPM). When commands require two ADIP-encrypted auth values, the nonce for the first auth value is still nonceEven, and the nonce for the second auth value is the last nonceOdd, which is the one being provided by the caller along with the current command on the session. The reason for this is that you wouldn't want an adversary to be able to XOR the two encrypted auth values together and come up with (auth 1 XOR key) XOR (auth 2 XOR key) where the "one-time" pad key is used twice and cancels itself out.

Here are the commands that take one authorization value by ADIP:

Seal (the sealed data's auth value)
Sealx (the sealed data's auth value)
CreateKey (the key's auth value)
MakeIdentity (the AIK's auth value)
ChangeAuth (the entity's new auth value)
ChangeAuthOwner (the new owner auth value)
Delegate_CreateKeyDelegation (the new delegation auth value)
Delegate_CreateOwnerDelegation (the new delegation auth value)
NV_DefineSpace (the NV's auth value)
CreateCounter (the counter's auth value)

Here are the commands that take two authorization values by ADIP:

CreateWrapKey (the key's auth value, and the key's migration (to export out of the TPM) auth value)

The migrationAuth value is never used if the key does not have the TPM_KEY_FLAGS.migratable flag set on it. go-tpm does not currently allow the caller to set this flag. Here was the bug in our implementation of CreateWrapKey():

https://github.com/google/go-tpm/blob/16766ac4521425bd02ad23868fbdf24749268669/tpm/tpm.go#L1322-L1329

Here we see that both usageAuth and migrationAuth are encrypted by the same XOR key. This is the correct key (i.e., it is based on nonceEven) for usageAuth, but not migrationAuth.

This means 2 things:

First: migrationAuth is being set to some value that is effectively unrelated to migrationAuth as passed by the caller. Again, this is not interesting to all current callers (given that there is no way for them to pass TPM_KEY_FLAGS.migratable via the current API; migrationAuth is not a meaningful value).

Second, and much more importantly: a user of go-tpm is vulnerable to the following attack by a passive bus-snooping adversary (CVE-2020-8918) 1. Wait for a CreateWrapKey command 2. Collect encUsageAuth and encMigrationAuth 3. Calculate (usageAuth XOR migrationAuth) := (encUsageAuth XOR encMigrationAuth) 4. Assuming migrationAuth is all 0x00 (a reasonable assumption for a caller who knows the key is not migratable), the calculation in (3) is the usage auth of the key.

Severity

7.1 (High)


                  
                    CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/google/go-tpm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-8918"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-665"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-24T18:32:13Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\nTPM 2.0 users are unaffected by this issue.\n\nAn adversary eavesdropping on the TPM 1.2 transport path can calculate `usageAuth` for a key created with CreateWrapKey, even though this value is encrypted as part of the TPM 1.2 command protocol.\n\nThe TPM 1.2 CreateWrapKey command accepts two secrets: `usageAuth` and `migrationAuth`. The ADIP protocol ([TPM 1.2 specification, part 1, section 13.4](https://trustedcomputinggroup.org/wp-content/uploads/TPM-Main-Part-1-Design-Principles_v1.2_rev116_01032011.pdf)) calls for these values to be encrypted with two different XOR keys. Due to a bug in go-tpm prior to version 0.3.0, both `usageAuth` and `migrationAuth` are encrypted with the same XOR keystream. This allows an adversary to XOR `encUsageAuth` and `encMigrationAuth` together to calculate `usageAuth ^ encMigrationAuth`. Since `migrationAuth` is moot for all keys created with go-tpm\u0027s `CreateWrapKey` (since all keys created with this function are marked non-migratable), an adversary may guess or know (from code/binary inspection) that `migrationAuth` is all 0x00 bytes or some other fixed value. Such an adversary can then calculate `usageAuth` and use this value later to improperly use the created key, unbeknownst to the creator of the key.\n\n### Patches\nFixed in go-tpm version 0.3.0.\n\n### Workarounds\n\n- TPM 2.0 users: No workaround needed. This issue only affects TPM 1.2 users.\n- TPM 1.2 users: Call CreateWrapKey with a random 20-byte value for `migrationAuth`, even though that value is not used again (since CreateWrapKey creates keys that are non-migratable). Do not store or log this value.\n\n\n### Details\n\nTPM 1.2 uses a protocol called ADIP (Authorization Data Insertion Protocol) to encrypt authorization values over-the-wire for newly created objects. This prevents a bus-snooping attack like those publicized by TPM Genie. TPM 2.0 makes this optional (the way to do it is with parameter-encryption sessions). You can read more about ADIP in section 13.4 of Part 1: Design Principles in the latest [TPM 1.2 specification](https://trustedcomputinggroup.org/resource/tpm-main-specification/). Normally, ADIP consists of the following steps:\n```\nKey := SHA1(authSession.SharedSecret || a nonce)\nNote: nonces and auth values in TPM 1.2 are always 20 bytes\nEncAuth := XOR(Key, Auth)\n```\nWhen commands require one ADIP-encrypted auth value, the nonce is the last nonceEven (last nonce from the TPM).\nWhen commands require two ADIP-encrypted auth values, the nonce for the first auth value is still nonceEven, and the nonce for the second auth value is the last nonceOdd, which is the one being provided by the caller along with the current command on the session.\nThe reason for this is that you wouldn\u0027t want an adversary to be able to XOR the two encrypted auth values together and come up with (auth 1 XOR key) XOR (auth 2 XOR key) where the \"one-time\" pad key is used twice and cancels itself out.\n\nHere are the commands that take one authorization value by ADIP:\n\n- Seal (the sealed data\u0027s auth value)\n- Sealx (the sealed data\u0027s auth value)\n- CreateKey (the key\u0027s auth value)\n- MakeIdentity (the AIK\u0027s auth value)\n- ChangeAuth (the entity\u0027s new auth value)\n- ChangeAuthOwner (the new owner auth value)\n- Delegate_CreateKeyDelegation (the new delegation auth value)\n- Delegate_CreateOwnerDelegation (the new delegation auth value)\n- NV_DefineSpace (the NV\u0027s auth value)\n- CreateCounter (the counter\u0027s auth value)\n\nHere are the commands that take two authorization values by ADIP:\n\n- CreateWrapKey (the key\u0027s auth value, and the key\u0027s migration (to export out of the TPM) auth value)\n\nThe migrationAuth value is never used if the key does not have the `TPM_KEY_FLAGS.migratable` flag set on it. go-tpm does not currently allow the caller to set this flag.\nHere was the bug in our implementation of `CreateWrapKey()`:\n\nhttps://github.com/google/go-tpm/blob/16766ac4521425bd02ad23868fbdf24749268669/tpm/tpm.go#L1322-L1329\n\nHere we see that both usageAuth and migrationAuth are encrypted by the same XOR key. This is the correct key (i.e., it is based on nonceEven) for usageAuth, but not migrationAuth.\n\nThis means 2 things:\n\n**First: migrationAuth is being set to some value that is effectively unrelated to migrationAuth as passed by the caller.** Again, this is not interesting to all current callers (given that there is no way for them to pass `TPM_KEY_FLAGS.migratable` via the current API; migrationAuth is not a meaningful value).\n\n**Second, and much more importantly: a user of go-tpm is vulnerable to the following attack by a passive bus-snooping adversary (CVE-2020-8918)**\n1. Wait for a `CreateWrapKey` command\n2. Collect `encUsageAuth` and `encMigrationAuth`\n3. Calculate `(usageAuth XOR migrationAuth) := (encUsageAuth XOR encMigrationAuth)`\n4. Assuming migrationAuth is all 0x00 (a reasonable assumption for a caller who knows the key is not migratable), the calculation in (3) is the usage auth of the key.",
  "id": "GHSA-5x29-3hr9-6wpw",
  "modified": "2023-08-29T21:08:37Z",
  "published": "2022-02-11T23:18:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/google/go-tpm/security/advisories/GHSA-5x29-3hr9-6wpw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8918"
    },
    {
      "type": "WEB",
      "url": "https://github.com/google/go-tpm/pull/195"
    },
    {
      "type": "WEB",
      "url": "https://github.com/google/go-tpm/commit/d7806cce857a1a020190c03348e5361725d8f141"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/google/go-tpm"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2021-0095"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "TPM 1.2 key authorization values vulnerable to TPM transport eavesdropper in go-tpm"
}

GSD-2020-8918

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Aliases

CVE-2020-8918

Aliases

CVE-2020-8918

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2020-8918",
    "description": "An improperly initialized \u0027migrationAuth\u0027 value in Google\u0027s go-tpm TPM1.2 library versions prior to 0.3.0 can lead an eavesdropping attacker to discover the auth value for a key created with CreateWrapKey. An attacker listening in on the channel can collect both \u0027encUsageAuth\u0027 and \u0027encMigrationAuth\u0027, and then can calculate \u0027usageAuth ^ encMigrationAuth\u0027 as the \u0027migrationAuth\u0027 can be guessed for all keys created with CreateWrapKey. TPM2.0 is not impacted by this. We recommend updating your library to 0.3.0 or later, or, if you cannot update, to call CreateWrapKey with a random 20-byte value for \u0027migrationAuth\u0027.",
    "id": "GSD-2020-8918"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2020-8918"
      ],
      "details": "An improperly initialized \u0027migrationAuth\u0027 value in Google\u0027s go-tpm TPM1.2 library versions prior to 0.3.0 can lead an eavesdropping attacker to discover the auth value for a key created with CreateWrapKey. An attacker listening in on the channel can collect both \u0027encUsageAuth\u0027 and \u0027encMigrationAuth\u0027, and then can calculate \u0027usageAuth ^ encMigrationAuth\u0027 as the \u0027migrationAuth\u0027 can be guessed for all keys created with CreateWrapKey. TPM2.0 is not impacted by this. We recommend updating your library to 0.3.0 or later, or, if you cannot update, to call CreateWrapKey with a random 20-byte value for \u0027migrationAuth\u0027.",
      "id": "GSD-2020-8918",
      "modified": "2023-12-13T01:21:54.320659Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@google.com",
        "ID": "CVE-2020-8918",
        "STATE": "PUBLIC",
        "TITLE": "TPM 1.2 key authorization values are vulnerable to a TPM transport eavesdropper"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "google/go-tpm library",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "stable",
                          "version_value": "0.3.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Google LLC"
            }
          ]
        }
      },
      "credit": [
        {
          "lang": "eng",
          "value": "Chris Fenner"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "An improperly initialized \u0027migrationAuth\u0027 value in Google\u0027s go-tpm TPM1.2 library versions prior to 0.3.0 can lead an eavesdropping attacker to discover the auth value for a key created with CreateWrapKey. An attacker listening in on the channel can collect both \u0027encUsageAuth\u0027 and \u0027encMigrationAuth\u0027, and then can calculate \u0027usageAuth ^ encMigrationAuth\u0027 as the \u0027migrationAuth\u0027 can be guessed for all keys created with CreateWrapKey. TPM2.0 is not impacted by this. We recommend updating your library to 0.3.0 or later, or, if you cannot update, to call CreateWrapKey with a random 20-byte value for \u0027migrationAuth\u0027."
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "impact": {
        "cvss": {
          "attackComplexity": "HIGH",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 6.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-665 Improper Initialization"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/google/go-tpm/security/advisories/GHSA-5x29-3hr9-6wpw",
            "refsource": "CONFIRM",
            "url": "https://github.com/google/go-tpm/security/advisories/GHSA-5x29-3hr9-6wpw"
          }
        ]
      },
      "source": {
        "discovery": "INTERNAL"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003cv0.3.0",
          "affected_versions": "All versions before 0.3.0",
          "cvss_v2": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-665",
            "CWE-937"
          ],
          "date": "2020-08-18",
          "description": "An improperly initialized `migrationAuth\u0027 value in Google\u0027s go-tpm library can lead an eavesdropping attacker to discover the `auth` value for a key created with CreateWrapKey. An attacker listening in on the channel can collect both `encUsageAuth` and `encMigrationAuth`, and then can calculate `usageAuth ^ encMigrationAuth` as the `migrationAuth` can be guessed for all keys created with `CreateWrapKey`.",
          "fixed_versions": [
            "v0.3.0"
          ],
          "identifier": "CVE-2020-8918",
          "identifiers": [
            "CVE-2020-8918",
            "GHSA-5x29-3hr9-6wpw"
          ],
          "not_impacted": "All versions starting from 0.3.0",
          "package_slug": "go/github.com/google/go-tpm",
          "pubdate": "2020-08-11",
          "solution": "Upgrade to version 0.3.0 or above.",
          "title": "Improper Initialization",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-8918"
          ],
          "uuid": "63158d1b-4d22-40b5-afc6-f9dfe9a615e9",
          "versions": [
            {
              "commit": {
                "sha": "d7806cce857a1a020190c03348e5361725d8f141",
                "tags": [
                  "v0.3.0"
                ],
                "timestamp": "20200723210223"
              },
              "number": "v0.3.0"
            }
          ]
        },
        {
          "affected_range": "\u003cv0.2.0",
          "affected_versions": "All versions before 0.2.0",
          "cvss_v2": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-665",
            "CWE-937"
          ],
          "date": "2022-02-11",
          "description": "An improperly initialized \u0027migrationAuth\u0027 value in Google\u0027s go-tpm TPM1.2 library can lead an eavesdropping attacker to discover the auth value for a key created with CreateWrapKey. An attacker listening in on the channel can collect both \u0027encUsageAuth\u0027 and \u0027encMigrationAuth\u0027, and then can calculate \u0027usageAuth ^ encMigrationAuth\u0027 as the \u0027migrationAuth\u0027 can be guessed for all keys created with CreateWrapKey. TPM2.0 is not impacted by this. We recommend updating your library to or later, or, if you cannot update, to call CreateWrapKey with a random value for \u0027migrationAuth\u0027.",
          "fixed_versions": [
            "v0.2.0"
          ],
          "identifier": "CVE-2020-8918",
          "identifiers": [
            "GHSA-5x29-3hr9-6wpw",
            "CVE-2020-8918"
          ],
          "not_impacted": "All versions starting from 0.2.0",
          "package_slug": "go/github.com/google/go-tpm/tpm",
          "pubdate": "2022-02-11",
          "solution": "Upgrade to version 0.2.0 or above.",
          "title": "Improper Initialization",
          "urls": [
            "https://github.com/google/go-tpm/security/advisories/GHSA-5x29-3hr9-6wpw",
            "https://nvd.nist.gov/vuln/detail/CVE-2020-8918",
            "https://github.com/google/go-tpm/pull/195",
            "https://github.com/advisories/GHSA-5x29-3hr9-6wpw"
          ],
          "uuid": "0dcf6dcd-b03c-4b5c-b6f6-c61222190330",
          "versions": [
            {
              "commit": {
                "sha": "b2c8857856f7516bb35d299c6b5d19f64e4ad579",
                "tags": [
                  "v0.2.0"
                ],
                "timestamp": "20190906233705"
              },
              "number": "v0.2.0"
            }
          ]
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:google:go-tpm:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "0.3.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@google.com",
          "ID": "CVE-2020-8918"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "An improperly initialized \u0027migrationAuth\u0027 value in Google\u0027s go-tpm TPM1.2 library versions prior to 0.3.0 can lead an eavesdropping attacker to discover the auth value for a key created with CreateWrapKey. An attacker listening in on the channel can collect both \u0027encUsageAuth\u0027 and \u0027encMigrationAuth\u0027, and then can calculate \u0027usageAuth ^ encMigrationAuth\u0027 as the \u0027migrationAuth\u0027 can be guessed for all keys created with CreateWrapKey. TPM2.0 is not impacted by this. We recommend updating your library to 0.3.0 or later, or, if you cannot update, to call CreateWrapKey with a random 20-byte value for \u0027migrationAuth\u0027."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-665"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/google/go-tpm/security/advisories/GHSA-5x29-3hr9-6wpw",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://github.com/google/go-tpm/security/advisories/GHSA-5x29-3hr9-6wpw"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 3.6,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 4.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "LOW",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 1.8,
          "impactScore": 5.2
        }
      },
      "lastModifiedDate": "2020-08-18T13:32Z",
      "publishedDate": "2020-08-11T19:15Z"
    }
  }
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2020-8918 (GCVE-0-2020-8918)

FKIE_CVE-2020-8918

GHSA-5X29-3HR9-6WPW

Impact

Patches

Workarounds

Details

GSD-2020-8918

Tags

Sightings

Nomenclature