Home > Vulnerability Database > CVE-2020-8918

Mend.io Vulnerability Database

CVE-2020-8918

Good to know:

Date: August 18, 2020

An improperly initialized 'migrationAuth' value in Google's go-tpm TPM1.2 library versions prior to 0.3.0 can lead an eavesdropping attacker to discover the auth value for a key created with CreateWrapKey. An attacker listening in on the channel can collect both 'encUsageAuth' and 'encMigrationAuth', and then can calculate 'usageAuth ^ encMigrationAuth' as the 'migrationAuth' can be guessed for all keys created with CreateWrapKey. TPM2.0 is not impacted by this. We recommend updating your library to 0.3.0 or later, or, if you cannot update, to call CreateWrapKey with a random 20-byte value for 'migrationAuth'.

Language: Go

Severity Score

7.1

Related Resources (3)

Url: https://nvd.nist.gov/vuln/detail/CVE-2020-8918

Url: https://github.com/google/go-tpm/security/advisories/GHSA-5x29-3hr9-6wpw

Url: https://www.mend.io/vulnerability-database/CVE-2020-8918

Severity Score

7.1

Weakness Type (CWE)

Improper Initialization

CWE-665

Top Fix

Upgrade Version

Upgrade to version 0.3.0

Learn More

CVSS v3.1

Base Score:	7.1
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

CVSS v2

Base Score:	3.6
Access Vector (AV):	LOCAL
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2020-8918

Good to know:

Date: August 18, 2020

Language: Go

Severity Score

Related Resources (3)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?