Missing Cryptographic Step

CVE-2020-10702

Medium

5.5/10

Summary

A flaw was found in QEMU in the implementation of the Pointer Authentication (PAuth) support for ARM introduced in version 4.0 and fixed in version 5.0.0. A general failure of the signature generation process caused every PAuth-enforced pointer to be signed with the same signature. A local attacker could obtain the signature of a protected pointer and abuse this flaw to bypass PAuth protection for all programs running on QEMU.

Attack Complexity: LOW
Attack Vector: LOCAL
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-325 - Missing Cryptographic Step

The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.

References

Advisory Timeline

Published Jun 04, 2020

Missing Cryptographic Step

CVE-2020-10702

Summary

CWE-325 - Missing Cryptographic Step

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS