Qinkun Bao

**Name of the Vulnerable Software and Affected Versions** Asylo versions up to 0.6.1 **Description** The issue allows an untrusted attacker to bypass validation by passing a syscall number in `MessageReader` that is then used by `sysno()`, potentially enabling the attacker to read memory from within the secure enclave. **Recommendations** Update to Asylo 0.6.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Asylo versions prior to 0.6.2 **Description** An attacker can modify the address to point to trusted memory to overwrite arbitrary trusted memory. **Recommendations** For Asylo versions prior to 0.6.2, update past 0.6.2 or apply the git commit https://github.com/google/asylo/commit/53ed5d8fd8118ced1466e509606dd2f473707a5c.

**Name of the Vulnerable Software and Affected Versions** Asylo versions prior to 0.6.3 **Description** An attacker can modify the pointers in enclave memory to overwrite arbitrary memory addresses within the secure enclave. **Recommendations** Update to a version past 0.6.3 or apply the changes from the git commit https://github.com/google/asylo/commit/a47ef55db2337d29de19c50cd29b0deb2871d31c to mitigate the issue.

**Name of the Vulnerable Software and Affected Versions** Asylo versions prior to 0.6.2 **Description** An attacker can change the pointer to untrusted memory to point to a trusted memory region, causing copying of trusted memory to trusted memory. If the latter is later copied out, it allows for reading of memory regions from the trusted region. **Recommendations** For Asylo versions prior to 0.6.2, update past 0.6.2 or apply the git commit https://github.com/google/asylo/commit/53ed5d8fd8118ced1466e509606dd2f473707a5c.

**Name of the Vulnerable Software and Affected Versions** Asylo versions up to 0.6.0 **Description** An arbitrary memory overwrite issue allows an attacker to make a host call to `FromkLinuxSockAddr` with attacker-controlled content and size of `klinux addr`, enabling the attacker to write memory values from within the enclave. **Recommendations** For Asylo versions up to 0.6.0, upgrade past commit a37fb6a0e7daf30134dbbf357c9a518a1026aa02 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Software (affected versions not specified) **Description** An out of bounds read on the `enc untrusted inet ntop` function allows an attack to extend the result size that is used by `memcpy()` to read memory from within the enclave heap. **Recommendations** Upgrade past commit 6ff3b77ffe110a33a2f93848a6333f33616f02c4 to resolve the issue. As a temporary workaround, consider restricting access to the `enc untrusted inet ntop` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Asylo versions up to 0.6.0 **Description** An arbitrary memory read issue allows an untrusted attacker to make a call to `enc untrusted inet pton` using an attacker-controlled `klinux addr buffer` parameter. The parameter size is unchecked, allowing the attacker to read memory locations outside of the intended buffer size, including memory addresses within the secure enclave. **Recommendations** For Asylo versions up to 0.6.0, upgrade past commit 8fed5e334131abaf9c5e17307642fbf6ce4a57ec to resolve the issue. As a temporary workaround, consider restricting access to the `enc untrusted inet pton` function and the `klinux addr buffer` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Asylo versions up to 0.6.0 **Description** The issue allows an untrusted attacker to make a call to `enc untrusted read` whose return size was not validated against the requested size. The `size` parameter is unchecked, allowing the attacker to read memory locations outside of the intended buffer size, including memory addresses within the secure enclave. **Recommendations** For Asylo versions up to 0.6.0, upgrade past commit b1d120a2c7d7446d2cc58d517e20a1b184b82200 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Asylo versions up to 0.6.0 **Description** The issue allows an untrusted attacker to make a call to `enc untrusted recvfrom` whose return size was not validated against the requested size. The `size` parameter is unchecked, allowing the attacker to read memory locations outside of the intended buffer size, including memory addresses within the secure enclave. **Recommendations** For Asylo versions up to 0.6.0, upgrade past commit 6e158d558abd3c29a0208e30c97c9a8c5bd4230f to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Asylo versions up to 0.6.0 **Description** An arbitrary memory write issue allows an untrusted attacker to make a call to `ecall restore()` using the attribute `output` which fails to check the range of a `pointer`. An attacker can use this `pointer` to write to arbitrary memory addresses, including those within the secure enclave. **Recommendations** For Asylo versions up to 0.6.0, upgrade past commit 382da2b8b09cbf928668a2445efb778f76bd9c8a. As a temporary workaround, consider restricting the use of the `ecall restore()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Asylo versions up to 0.6.0 **Description** An arbitrary memory read issue allows an untrusted attacker to make a call to `enc untrusted recvmsg` using an attacker-controlled `result` parameter. The `size` parameter is unchecked, allowing the attacker to read memory locations outside of the intended buffer size, including memory addresses within the secure enclave. **Recommendations** For Asylo versions up to 0.6.0, upgrade or apply changes past commit fa6485c5d16a7355eab047d4a44345a73bc9131e to resolve the issue. As a temporary workaround, consider restricting access to the `enc untrusted recvmsg` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Asylo versions up to 0.6.0 **Description** The issue allows an attacker to make an `Ecall restore` function call to reallocate untrusted code and overwrite sections of the Enclave memory address, due to an arbitrary memory overwrite. **Recommendations** Update the library to a version later than 0.6.0.

**Name of the Vulnerable Software and Affected Versions** Asylo versions up to 0.6.0 **Description** An arbitrary memory overwrite issue allows an attacker to make a host call to UntrustedCall. UntrustedCall failed to validate the buffer range within `sgx params` and allowed the host to return a pointer that was an address within the enclave memory. This allowed an attacker to read memory values from within the enclave. **Recommendations** For Asylo versions up to 0.6.0, update to a version later than 0.6.0 to resolve the issue. As a temporary workaround, consider restricting access to the UntrustedCall function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Asylo versions up to 0.6.0 **Description** An arbitrary memory overwrite issue allows an attacker to make a host call to `enc untrusted create wait queue` that uses a pointer queue relying on `UntrustedLocalMemcpy`, which fails to validate the pointer location. This enables an attacker to write memory values from within the enclave. **Recommendations** For Asylo versions up to 0.6.0, upgrade past commit a37fb6a0e7daf30134dbbf357c9a518a1026aa02 to resolve the issue. As a temporary workaround, consider restricting access to the `enc untrusted create wait queue` function and the `UntrustedLocalMemcpy` until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Open Enclave versions prior to 0.12.0 **Description** An information disclosure issue exists when an enclave application using the syscalls provided by the `sockets.edl` is loaded by a malicious host application. This could allow an attacker to read privileged data from the enclave heap across trust boundaries. To exploit this, an attacker would have to log on to an affected system and run a specially crafted application. The issue does not allow an attacker to elevate user rights directly but could be used to obtain confidential information in an enclave, potentially used in further compromises. **Recommendations** For versions prior to 0.12.0, users need to recompile their applications against the patched libraries to be protected from this issue. As a temporary workaround, consider restricting the use of the `sockets.edl` syscalls in enclave applications until the patched libraries are applied.

**Name of the Vulnerable Software and Affected Versions** Asylo versions prior to 0.6.0 **Description** A buffer length validation issue allows an attacker to read unauthorized data. The `enc untrusted recvfrom` function generates a return value deserialized by `MessageReader` and copied into three `extents`. The length of the third `extents` is controlled by external input and not verified on copy, enabling the attacker to force Asylo to copy trusted memory data into a small untrusted buffer. **Recommendations** Update Asylo to version 0.6.0 or later.

**Name of the Vulnerable Software and Affected Versions** Asylo versions prior to 0.6.0 **Description** The issue is related to an arbitrary memory overwrite in the trusted memory of Asylo. It occurs because the `ecall restore` function does not properly validate the range of the `output len` pointer, allowing an attacker to manipulate the `tmp output len` value and write to any location in the trusted memory. **Recommendations** Update Asylo to version 0.6.0 or later.