CVE-2023-37479

Name of the Vulnerable Software and Affected Versions Open Enclave versions prior to 0.19.3

Description The issue concerns two problems in the Open Enclave SDK. First, it does not properly sanitize the MXCSR register on enclave entry, making applications vulnerable to MXCSR Configuration Dependent Timing (MCDT) attacks. This could impact instruction retirement by at most one cycle, depending on the secret data operand value. Second, the SDK does not sanitize x86's alignment check flag RFLAGS.AC on enclave entry, allowing a side-channel attacker to be notified for every unaligned memory access performed by the enclave.

Recommendations For versions prior to 0.19.3, update to version 0.19.3 or later and recompile applications against the patched libraries to be protected from this issue. As a temporary workaround, consider restricting access to sensitive data and minimizing unaligned memory accesses until the update can be applied.