var-202011-0143
Vulnerability from variot
Authentication bypass by capture-replay in RPMB protocol message authentication subsystem in Intel(R) TXE versions before 4.0.30 may allow an unauthenticated user to potentially enable escalation of privilege via physical access. The Replay Protected Memory Block (RPMB) protocol found in several storage specifications does not securely protect against replay attacks. An attacker with physical access can deceive a trusted component about the status of an RPBM write command or the content of an RPMB area. The RPMB protocol "...enables a device to store data in a small, specific area that is authenticated and protected against replay attack." RPMB is most commonly found in mobile phones and tablets using flash storage technology such as eMMC, UFS, and NVMe. The RPMB protocol allows an attacker to replay stale write failure messages and write commands, leading to state confusion between a trusted component and the contents of an RPMB area. Additional details are available in Replay Attack Vulnerabilities in RPMB Protocol Applications. An attacker with physical access to a device can cause a mismatch between the write state or contents of the RPMB area and a trusted component of the device. These mismatches can lead to the trusted component believing a write command failed when in fact it succeeded, or the trusted component believing that certain content was written when in fact different content (unmodified by the attacker) was written. Further implications depend on the specific device and use of RPMB. At least one affected vendor has confirmed that denial of service . Intel(R) TXE Has Capture-replay An authentication bypass vulnerability exists.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202011-0143",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "trusted execution engine",
"scope": "lt",
"trust": 1.0,
"vendor": "intel",
"version": "4.0.30"
},
{
"model": "intel trusted execution engine",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30a4\u30f3\u30c6\u30eb",
"version": null
},
{
"model": "intel trusted execution engine",
"scope": "eq",
"trust": 0.8,
"vendor": "\u30a4\u30f3\u30c6\u30eb",
"version": "4.0.30"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-013433"
},
{
"db": "NVD",
"id": "CVE-2020-12355"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Rotem Sela and Brian Mastenbrook of Western Digital identified this vulnerability. Western Digital coordinated its disclosure with the affected vendors. Thanks Western Digital PSIRT! This document was written by Eric Hatleback. ",
"sources": [
{
"db": "CERT/CC",
"id": "VU#231329"
}
],
"trust": 0.8
},
"cve": "CVE-2020-12355",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 4.6,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 3.9,
"id": "CVE-2020-12355",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.9,
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 4.6,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 3.9,
"id": "VHN-165025",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:L/AC:L/AU:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 0.9,
"id": "CVE-2020-12355",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Physical",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 6.8,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2020-12355",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2020-12355",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2020-12355",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNNVD",
"id": "CNNVD-201911-1673",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-165025",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2020-12355",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-165025"
},
{
"db": "VULMON",
"id": "CVE-2020-12355"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-013433"
},
{
"db": "CNNVD",
"id": "CNNVD-201911-1673"
},
{
"db": "NVD",
"id": "CVE-2020-12355"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Authentication bypass by capture-replay in RPMB protocol message authentication subsystem in Intel(R) TXE versions before 4.0.30 may allow an unauthenticated user to potentially enable escalation of privilege via physical access. The Replay Protected Memory Block (RPMB) protocol found in several storage specifications does not securely protect against replay attacks. An attacker with physical access can deceive a trusted component about the status of an RPBM write command or the content of an RPMB area. The RPMB protocol \"...enables a device to store data in a small, specific area that is authenticated and protected against replay attack.\" RPMB is most commonly found in mobile phones and tablets using flash storage technology such as eMMC, UFS, and NVMe. The RPMB protocol allows an attacker to replay stale write failure messages and write commands, leading to state confusion between a trusted component and the contents of an RPMB area. Additional details are available in Replay Attack Vulnerabilities in RPMB Protocol Applications. An attacker with physical access to a device can cause a mismatch between the write state or contents of the RPMB area and a trusted component of the device. These mismatches can lead to the trusted component believing a write command failed when in fact it succeeded, or the trusted component believing that certain content was written when in fact different content (unmodified by the attacker) was written. Further implications depend on the specific device and use of RPMB. At least one affected vendor has confirmed that denial of service . Intel(R) TXE Has Capture-replay An authentication bypass vulnerability exists.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state",
"sources": [
{
"db": "NVD",
"id": "CVE-2020-12355"
},
{
"db": "CERT/CC",
"id": "VU#231329"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-013433"
},
{
"db": "VULHUB",
"id": "VHN-165025"
},
{
"db": "VULMON",
"id": "CVE-2020-12355"
}
],
"trust": 2.52
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2020-12355",
"trust": 2.6
},
{
"db": "CERT/CC",
"id": "VU#231329",
"trust": 1.4
},
{
"db": "JVN",
"id": "JVNVU97690270",
"trust": 0.8
},
{
"db": "JVN",
"id": "JVNVU98002571",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2020-013433",
"trust": 0.8
},
{
"db": "AUSCERT",
"id": "ESB-2020.3958.2",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.3958",
"trust": 0.6
},
{
"db": "LENOVO",
"id": "LEN-39432",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201911-1673",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-165025",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2020-12355",
"trust": 0.1
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#231329"
},
{
"db": "VULHUB",
"id": "VHN-165025"
},
{
"db": "VULMON",
"id": "CVE-2020-12355"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-013433"
},
{
"db": "CNNVD",
"id": "CNNVD-201911-1673"
},
{
"db": "NVD",
"id": "CVE-2020-12355"
}
]
},
"id": "VAR-202011-0143",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-165025"
}
],
"trust": 0.01
},
"last_update_date": "2024-11-23T19:38:07.591000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "INTEL-SA-00391",
"trust": 0.8,
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00391"
},
{
"title": "Intel TXE Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=134984"
},
{
"title": "HP: HPSBHF03703 rev. 1 - Intel\u00ae 2020.2 IPU - CSME, SPS, TXE, AMT, and DAL Security Update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=hp_bulletin\u0026qid=HPSBHF03703"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2020-12355"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-013433"
},
{
"db": "CNNVD",
"id": "CNNVD-201911-1673"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-294",
"trust": 1.1
},
{
"problemtype": "Capture-replay Authentication bypass by (CWE-294) [NVD Evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-165025"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-013433"
},
{
"db": "NVD",
"id": "CVE-2020-12355"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.8,
"url": "https://security.netapp.com/advisory/ntap-20201113-0005/"
},
{
"trust": 1.8,
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00391"
},
{
"trust": 1.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-12355"
},
{
"trust": 0.8,
"url": "https://www.westerndigital.com/support/productsecurity/wdc-20008-replay-attack-vulnerabilities-rpmb-protocol-applications"
},
{
"trust": 0.8,
"url": "https://documents.westerndigital.com/content/dam/doc-library/en_us/assets/public/western-digital/collateral/white-paper/white-paper-replay-protected-memory-block-protocol-vulernabilities.pdf"
},
{
"trust": 0.8,
"url": "https://documents.westerndigital.com/content/dam/doc-library/en_us/assets/public/western-digital/collateral/white-paper/white-paper-emmc-security.pdf"
},
{
"trust": 0.8,
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00391.html"
},
{
"trust": 0.8,
"url": "https://jvn.jp/vu/jvnvu97690270/"
},
{
"trust": 0.8,
"url": "https://jvn.jp/vu/jvnvu98002571/"
},
{
"trust": 0.6,
"url": "https://www.kb.cert.org/vuls/id/231329"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.3958/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.3958.2/"
},
{
"trust": 0.6,
"url": "https://support.lenovo.com/us/en/product_security/len-39432"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/intel-processors-multiple-vulnerabilities-via-csme-sps-txe-amt-dal-33887"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/294.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://support.hp.com/us-en/document/c06962103"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#231329"
},
{
"db": "VULHUB",
"id": "VHN-165025"
},
{
"db": "VULMON",
"id": "CVE-2020-12355"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-013433"
},
{
"db": "CNNVD",
"id": "CNNVD-201911-1673"
},
{
"db": "NVD",
"id": "CVE-2020-12355"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#231329"
},
{
"db": "VULHUB",
"id": "VHN-165025"
},
{
"db": "VULMON",
"id": "CVE-2020-12355"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-013433"
},
{
"db": "CNNVD",
"id": "CNNVD-201911-1673"
},
{
"db": "NVD",
"id": "CVE-2020-12355"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-11-10T00:00:00",
"db": "CERT/CC",
"id": "VU#231329"
},
{
"date": "2020-11-12T00:00:00",
"db": "VULHUB",
"id": "VHN-165025"
},
{
"date": "2020-11-12T00:00:00",
"db": "VULMON",
"id": "CVE-2020-12355"
},
{
"date": "2021-07-06T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-013433"
},
{
"date": "2019-11-10T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201911-1673"
},
{
"date": "2020-11-12T18:15:14.737000",
"db": "NVD",
"id": "CVE-2020-12355"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-11-16T00:00:00",
"db": "CERT/CC",
"id": "VU#231329"
},
{
"date": "2020-11-24T00:00:00",
"db": "VULHUB",
"id": "VHN-165025"
},
{
"date": "2020-11-24T00:00:00",
"db": "VULMON",
"id": "CVE-2020-12355"
},
{
"date": "2021-07-06T04:56:00",
"db": "JVNDB",
"id": "JVNDB-2020-013433"
},
{
"date": "2021-01-04T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201911-1673"
},
{
"date": "2024-11-21T04:59:33.877000",
"db": "NVD",
"id": "CVE-2020-12355"
}
]
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Replay Protected Memory Block (RPMB) protocol does not adequately defend against replay attacks",
"sources": [
{
"db": "CERT/CC",
"id": "VU#231329"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201911-1673"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…