CVE-2020-8918: Improper Initialization

August 11, 2020 (updated August 18, 2020)

An improperly initialized migrationAuth' value in Google's go-tpm library can lead an eavesdropping attacker to discover the authvalue for a key created with CreateWrapKey. An attacker listening in on the channel can collect bothencUsageAuthandencMigrationAuth, and then can calculate usageAuth ^ encMigrationAuthas themigrationAuthcan be guessed for all keys created withCreateWrapKey`.

References

nvd.nist.gov/vuln/detail/CVE-2020-8918

Code Behaviors & Features

Detect and mitigate CVE-2020-8918 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →