CVE-2020-15224

Name of the Vulnerable Software and Affected Versions Open Enclave versions prior to 0.12.0

Description An information disclosure issue exists when an enclave application using the syscalls provided by the sockets.edl is loaded by a malicious host application. This could allow an attacker to read privileged data from the enclave heap across trust boundaries. To exploit this, an attacker would have to log on to an affected system and run a specially crafted application. The issue does not allow an attacker to elevate user rights directly but could be used to obtain confidential information in an enclave, potentially used in further compromises.

Recommendations For versions prior to 0.12.0, users need to recompile their applications against the patched libraries to be protected from this issue. As a temporary workaround, consider restricting the use of the sockets.edl syscalls in enclave applications until the patched libraries are applied.