Executive Summary
Summary | |
---|---|
Title | Replay Protected Memory Block (RPMB) protocol does not adequately defend against replay attacks |
Informations | |||
---|---|---|---|
Name | VU#231329 | First vendor Publication | 2020-11-10 |
Vendor | VU-CERT | Last vendor Modification | 2020-11-16 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | |||
---|---|---|---|
Overall CVSS Score | 6.8 | ||
Base Score | 6.8 | Environmental Score | 6.8 |
impact SubScore | 5.9 | Temporal Score | 6.8 |
Exploitabality Sub Score | 0.9 | ||
Attack Vector | Physical | Attack Complexity | Low |
Privileges Required | None | User Interaction | None |
Scope | Unchanged | Confidentiality Impact | High |
Integrity Impact | High | Availability Impact | High |
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:L/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 4.6 | Attack Range | Local |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 3.9 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
OverviewThe Replay Protected Memory Block (RPMB) protocol found in several storage specifications does not securely protect against replay attacks. An attacker with physical access can deceive a trusted component about the status of an RPBM write command or the content of an RPMB area. DescriptionThe RPMB protocol "...enables a device to store data in a small, specific area that is authenticated and protected against replay attack." RPMB is most commonly found in mobile phones and tablets using flash storage technology such as eMMC, UFS, and NVMe. The RPMB protocol allows an attacker to replay stale write failure messages and write commands, leading to state confusion between a trusted component and the contents of an RPMB area. Additional details are available in Replay Attack Vulnerabilities in RPMB Protocol Applications. ImpactAn attacker with physical access to a device can cause a mismatch between the write state or contents of the RPMB area and a trusted component of the device. These mismatches can lead to the trusted component believing a write command failed when in fact it succeeded, or the trusted component believing that certain content was written when in fact different content (unmodified by the attacker) was written. Further implications depend on the specific device and use of RPMB. At least one affected vendor has confirmed that denial of service SolutionPlease see the Vendor Information section below. Further vendor information is available in Replay Attack Vulnerabilities in RPMB Protocol Applications. AcknowledgementsRotem Sela and Brian Mastenbrook of Western Digital identified this vulnerability. Western Digital coordinated its disclosure with the affected vendors. Thanks Western Digital PSIRT! This document was written by Eric Hatleback. |
Original Source
Url : https://kb.cert.org/vuls/id/231329 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-294 | Authentication Bypass by Capture-replay |
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Os | 1 |
Alert History
Date | Informations |
---|---|
2021-04-10 00:29:23 |
|
2021-04-09 21:29:50 |
|
2021-04-09 21:18:05 |
|
2021-03-26 17:29:10 |
|
2021-03-26 13:29:30 |
|
2021-03-26 13:17:55 |
|
2021-01-20 00:28:55 |
|
2021-01-19 21:29:33 |
|
2021-01-19 21:18:04 |
|
2020-11-25 00:28:42 |
|
2020-11-16 21:29:25 |
|
2020-11-16 21:17:57 |
|
2020-11-13 21:29:11 |
|
2020-11-13 21:17:56 |
|
2020-11-11 00:17:33 |
|