Details of VAR-202011-0143

ID

VAR-202011-0143

CVE

CVE-2020-12355

TITLE

Replay Protected Memory Block (RPMB) protocol does not adequately defend against replay attacks

Trust: 0.8

sources: CERT/CC: VU#231329

DESCRIPTION

Authentication bypass by capture-replay in RPMB protocol message authentication subsystem in Intel(R) TXE versions before 4.0.30 may allow an unauthenticated user to potentially enable escalation of privilege via physical access. The Replay Protected Memory Block (RPMB) protocol found in several storage specifications does not securely protect against replay attacks. An attacker with physical access can deceive a trusted component about the status of an RPBM write command or the content of an RPMB area. The RPMB protocol "...enables a device to store data in a small, specific area that is authenticated and protected against replay attack." RPMB is most commonly found in mobile phones and tablets using flash storage technology such as eMMC, UFS, and NVMe. The RPMB protocol allows an attacker to replay stale write failure messages and write commands, leading to state confusion between a trusted component and the contents of an RPMB area. Additional details are available in Replay Attack Vulnerabilities in RPMB Protocol Applications. An attacker with physical access to a device can cause a mismatch between the write state or contents of the RPMB area and a trusted component of the device. These mismatches can lead to the trusted component believing a write command failed when in fact it succeeded, or the trusted component believing that certain content was written when in fact different content (unmodified by the attacker) was written. Further implications depend on the specific device and use of RPMB. At least one affected vendor has confirmed that denial of service . Intel(R) TXE Has Capture-replay An authentication bypass vulnerability exists.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state

Trust: 2.52

sources: NVD: CVE-2020-12355 // CERT/CC: VU#231329 // JVNDB: JVNDB-2020-013433 // VULHUB: VHN-165025 // VULMON: CVE-2020-12355

AFFECTED PRODUCTS

vendor:	intel	model:	trusted execution engine	scope:	lt	version:	4.0.30	Trust: 1.0
vendor:	インテル	model:	intel trusted execution engine	scope:	eq	version:	-	Trust: 0.8
vendor:	インテル	model:	intel trusted execution engine	scope:	eq	version:	4.0.30	Trust: 0.8

sources: JVNDB: JVNDB-2020-013433 // NVD: CVE-2020-12355

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-12355
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2020-12355
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201911-1673
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-165025
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2020-12355
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-12355
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-165025
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-12355
baseSeverity:	MEDIUM
baseScore:	6.8
vectorString:	CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	PHYSICAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	0.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2020-12355
baseSeverity:	MEDIUM
baseScore:	6.8
vectorString:	CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	PHYSICAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-165025 // VULMON: CVE-2020-12355 // JVNDB: JVNDB-2020-013433 // CNNVD: CNNVD-201911-1673 // NVD: CVE-2020-12355

PROBLEMTYPE DATA

problemtype:	CWE-294	Trust: 1.1
problemtype:	Capture-replay Authentication bypass by (CWE-294) [NVD Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-165025 // JVNDB: JVNDB-2020-013433 // NVD: CVE-2020-12355

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-201911-1673

PATCH

title:	INTEL-SA-00391	url:	https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00391	Trust: 0.8
title:	Intel TXE Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=134984	Trust: 0.6
title:	HP: HPSBHF03703 rev. 1 - Intel® 2020.2 IPU - CSME, SPS, TXE, AMT, and DAL Security Update	url:	https://vulmon.com/vendoradvisory?qidtp=hp_bulletin&qid=HPSBHF03703	Trust: 0.1

sources: VULMON: CVE-2020-12355 // JVNDB: JVNDB-2020-013433 // CNNVD: CNNVD-201911-1673

EXTERNAL IDS

db:	NVD	id:	CVE-2020-12355	Trust: 2.6
db:	CERT/CC	id:	VU#231329	Trust: 1.4
db:	JVN	id:	JVNVU97690270	Trust: 0.8
db:	JVN	id:	JVNVU98002571	Trust: 0.8
db:	JVNDB	id:	JVNDB-2020-013433	Trust: 0.8
db:	AUSCERT	id:	ESB-2020.3958.2	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.3958	Trust: 0.6
db:	LENOVO	id:	LEN-39432	Trust: 0.6
db:	CNNVD	id:	CNNVD-201911-1673	Trust: 0.6
db:	VULHUB	id:	VHN-165025	Trust: 0.1
db:	VULMON	id:	CVE-2020-12355	Trust: 0.1

sources: CERT/CC: VU#231329 // VULHUB: VHN-165025 // VULMON: CVE-2020-12355 // JVNDB: JVNDB-2020-013433 // CNNVD: CNNVD-201911-1673 // NVD: CVE-2020-12355

REFERENCES

url:	https://security.netapp.com/advisory/ntap-20201113-0005/	Trust: 1.8
url:	https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00391	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2020-12355	Trust: 1.4
url:	https://www.westerndigital.com/support/productsecurity/wdc-20008-replay-attack-vulnerabilities-rpmb-protocol-applications	Trust: 0.8
url:	https://documents.westerndigital.com/content/dam/doc-library/en_us/assets/public/western-digital/collateral/white-paper/white-paper-replay-protected-memory-block-protocol-vulernabilities.pdf	Trust: 0.8
url:	https://documents.westerndigital.com/content/dam/doc-library/en_us/assets/public/western-digital/collateral/white-paper/white-paper-emmc-security.pdf	Trust: 0.8
url:	https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00391.html	Trust: 0.8
url:	https://jvn.jp/vu/jvnvu97690270/	Trust: 0.8
url:	https://jvn.jp/vu/jvnvu98002571/	Trust: 0.8
url:	https://www.kb.cert.org/vuls/id/231329	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.3958/	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/esb-2020.3958.2/	Trust: 0.6
url:	https://support.lenovo.com/us/en/product_security/len-39432	Trust: 0.6
url:	https://vigilance.fr/vulnerability/intel-processors-multiple-vulnerabilities-via-csme-sps-txe-amt-dal-33887	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/294.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://support.hp.com/us-en/document/c06962103	Trust: 0.1

sources: CERT/CC: VU#231329 // VULHUB: VHN-165025 // VULMON: CVE-2020-12355 // JVNDB: JVNDB-2020-013433 // CNNVD: CNNVD-201911-1673 // NVD: CVE-2020-12355

CREDITS

Rotem Sela and Brian Mastenbrook of Western Digital identified this vulnerability. Western Digital coordinated its disclosure with the affected vendors. Thanks Western Digital PSIRT! This document was written by Eric Hatleback.

Trust: 0.8

sources: CERT/CC: VU#231329

SOURCES

db:	CERT/CC	id:	VU#231329
db:	VULHUB	id:	VHN-165025
db:	VULMON	id:	CVE-2020-12355
db:	JVNDB	id:	JVNDB-2020-013433
db:	CNNVD	id:	CNNVD-201911-1673
db:	NVD	id:	CVE-2020-12355

LAST UPDATE DATE

2024-11-23T19:38:07.591000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#231329	date:	2020-11-16T00:00:00
db:	VULHUB	id:	VHN-165025	date:	2020-11-24T00:00:00
db:	VULMON	id:	CVE-2020-12355	date:	2020-11-24T00:00:00
db:	JVNDB	id:	JVNDB-2020-013433	date:	2021-07-06T04:56:00
db:	CNNVD	id:	CNNVD-201911-1673	date:	2021-01-04T00:00:00
db:	NVD	id:	CVE-2020-12355	date:	2024-11-21T04:59:33.877

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#231329	date:	2020-11-10T00:00:00
db:	VULHUB	id:	VHN-165025	date:	2020-11-12T00:00:00
db:	VULMON	id:	CVE-2020-12355	date:	2020-11-12T00:00:00
db:	JVNDB	id:	JVNDB-2020-013433	date:	2021-07-06T00:00:00
db:	CNNVD	id:	CNNVD-201911-1673	date:	2019-11-10T00:00:00
db:	NVD	id:	CVE-2020-12355	date:	2020-11-12T18:15:14.737