Replay Attack Vulnerabilities in RPMB Protocol Applications [CVE-2020-13799]

Western Digital has identified a security vulnerability in the Replay Protected Memory Block (RPMB) protocol as specified in multiple standards for storage device interfaces, including eMMC, UFS, and NVMe. The RPMB protocol is specified by industry standards bodies and is implemented by storage devices from multiple vendors to assist host systems in securing trusted firmware. Several scenarios have been identified in which the RPMB state may be affected by an attacker without the knowledge of the trusted component that uses the RPMB feature.

The RPMB feature is frequently used in embedded systems such as phones and tablets as part of their overall security architecture. The impact of these vulnerabilities will depend on how hosts use the RPMB feature, and affected hosts may address these vulnerabilities by incorporating specific mitigations into their initialization and error-handling routines. Western Digital has provided details of the vulnerability to multiple vendors of host processors and software solutions and is publishing this bulletin as part of an industry-wide coordinated vulnerability disclosure process to promote security in embedded storage applications.

Update Availability/Remediation

Updates should be provided by vendors of host systems which rely on the RPMB feature as part of their security architecture. Affected product vendors should reach out to the provider of their host processor or Trusted Execution Environment (TEE) software for details on remediation status. Where available, we have listed the status from specific vendors below.

Intel
Intel has assigned CVE-2020-12355 for this vulnerability, and details will be made available in advisory INTEL-SA-00391.

Google
Google has assigned CVE-2020-0436 for this vulnerability.

MediaTek
For TEE solutions on MediaTek chipsets, please contact MediaTek directly for additional information and remediation steps.

Advisory Summary

The RPMB protocol fails to ensure freshness of write requests and responses. Architectures that rely on the RPMB to prevent less-trusted components or physical attackers from mutating the state of the RPMB may be vulnerable to attack through one or more scenarios. This includes, but is not limited to, architectures that specifically grant an untrusted component the ability to interfere with, prevent, or replay the execution of RPMB commands, such as architectures that rely on an untrusted operating system to execute RPMB operations on behalf of a Trusted Execution Environment (TEE). Additionally, architectures that rely on the Secure Write Protect Configuration feature present in some devices may also be vulnerable to attack through a failure to open or close write-protected regions when intended by the host. Details of these scenarios and suggested mitigations are available in a whitepaper from Western Digital.

CVE Number: CVE-2020-13799
Reported by: Rotem Sela and Brian Mastenbrook, Western Digital