Summary
The ART (Attestation Results Token) token, generated by AS, could be manipulated by MITM attacker, but the verifier (CoCo Verification Demander like KBS) could still verify it successfully.
Details
In the payload of ART token, the ‘jwk’ could be replaced by attacker with his own pub key. Then attacker can use his own corresponding private key to sign the crafted ART token. Based on current code implementation (v0.8.0), such replacement and modification can not be detected.
See more details as shown with pictures in last section below.
PoC
No PoC exploit at this moment
Impact
It can impact the integrity of ART token, and hence all the contents of its payload (see blow), which could be modified without detection.
"iss": $issuer_name,
"jwk": $public_key,
"exp": $expire_timestamp,
"nbf": $notbefore_timestamp,
"tee-pubkey": $pubkey,
"tcb-status": $parsed_evidence,
"evaluation-report": $report
If "tee-pubkey" might be used to encrypt other secrets or wrapper other keys (e.g. to setup a secure channel in between TEE/enclave and reply party, then as a consequence, the confidentiality would also be compromised as well.
There may have other consequences but just depending on how to use those fields of payload above after successful authentication of ART token.
Notes
- The initial CVSS(3.1) scoring has been done, we can discuss it further if an adjustment is needed.
Further details
See the attached slides (Github doesn't support uploading pptx files, so I converted the slides to SVG files below for each page).
Summary
The ART (Attestation Results Token) token, generated by AS, could be manipulated by MITM attacker, but the verifier (CoCo Verification Demander like KBS) could still verify it successfully.
Details
In the payload of ART token, the ‘jwk’ could be replaced by attacker with his own pub key. Then attacker can use his own corresponding private key to sign the crafted ART token. Based on current code implementation (v0.8.0), such replacement and modification can not be detected.
See more details as shown with pictures in last section below.
PoC
No PoC exploit at this moment
Impact
It can impact the integrity of ART token, and hence all the contents of its payload (see blow), which could be modified without detection.
If "tee-pubkey" might be used to encrypt other secrets or wrapper other keys (e.g. to setup a secure channel in between TEE/enclave and reply party, then as a consequence, the confidentiality would also be compromised as well.
There may have other consequences but just depending on how to use those fields of payload above after successful authentication of ART token.
Notes
Further details
See the attached slides (Github doesn't support uploading pptx files, so I converted the slides to SVG files below for each page).
