Vulnerability CVE-2019-18619
Published: 2020-07-22

Description:
Incorrect parameter validation in the synaTee component of Synaptics WBF drivers using an SGX enclave (all versions prior to 2019-11-15) allows a local user to execute arbitrary code in the enclave (that can compromise confidentiality of enclave data) via APIs that accept invalid pointers.

Type:

CWE-763

CVSS2 => (AV:L/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.6/10
6.4/10
3.9/10
Exploit range
Attack complexity
Authentication
Local
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
https://support.hp.com/hk-en/document/c06696568
https://support.lenovo.com/us/en/product_security/LEN-31372
https://www.synaptics.com/company/blog/
https://www.synaptics.com/sites/default/files/fingerprint-driver-SGX-security-brief-2020-07-14.pdf
https://www.syssec.wiwi.uni-due.de/en/research/research-projects/analysis-of-tee-software/
Copyright 2024, cxsecurity.com

 

Back to Top