Impact
There are two CVEs that are mitigated in v0.19.3.
-
Open Enclave SDK does not properly sanitize the MXCSR register on enclave entry. This makes applications vulnerable to MXCSR
Configuration Dependent Timing (MCDT) attacks, where incorrect MXCSR values can impact instruction retirement by at most one cycle, depending on the (secret) data operand value. Please find more details in this related guidance from Intel.
-
Open Enclave SDK does not sanitize x86's alignment check flag RFLAGS.AC on enclave entry. This opens up the possibility for a side-channel attacker to be notified for every unaligned memory access performed by the enclave.
Patches
The issue has been addressed in version 0.19.3 and the current master branch. Users will need to recompile their applications against the patched libraries to be protected from this vulnerability.
Workarounds
No workarounds have been identified for this vulnerability.
Acknowledgements
Jo Van Bulck (imec-DistriNet, KU Leuven)
Fritz Alder (imec-DistriNet, KU Leuven)
Lesly-Ann Daniel (imec-DistriNet, KU Leuven)
David Oswald (The University of Birmingham, UK)
Frank Piessens (imec-DistriNet, KU Leuven)
For more information
If you have any questions or comments about this advisory:
Impact
There are two CVEs that are mitigated in v0.19.3.
Open Enclave SDK does not properly sanitize the
MXCSRregister on enclave entry. This makes applications vulnerable to MXCSRConfiguration Dependent Timing (MCDT) attacks, where incorrect
MXCSRvalues can impact instruction retirement by at most one cycle, depending on the (secret) data operand value. Please find more details in this related guidance from Intel.Open Enclave SDK does not sanitize x86's alignment check flag
RFLAGS.ACon enclave entry. This opens up the possibility for a side-channel attacker to be notified for every unaligned memory access performed by the enclave.Patches
The issue has been addressed in version 0.19.3 and the current master branch. Users will need to recompile their applications against the patched libraries to be protected from this vulnerability.
Workarounds
No workarounds have been identified for this vulnerability.
Acknowledgements
Jo Van Bulck (imec-DistriNet, KU Leuven)
Fritz Alder (imec-DistriNet, KU Leuven)
Lesly-Ann Daniel (imec-DistriNet, KU Leuven)
David Oswald (The University of Birmingham, UK)
Frank Piessens (imec-DistriNet, KU Leuven)
For more information
If you have any questions or comments about this advisory: