{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/231329#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nThe Replay Protected Memory Block (RPMB) protocol found in several storage specifications does not securely protect against replay attacks. An attacker with physical access can deceive a trusted component about the status of an RPBM write command or the content of an RPMB area.\r\n\r\n### Description\r\nThe [RPMB](https://documents.westerndigital.com/content/dam/doc-library/en_us/assets/public/western-digital/collateral/white-paper/white-paper-emmc-security.pdf) protocol \"...enables a device to store data in a small, specific area that is authenticated and protected against replay attack.\" RPMB is most commonly found in mobile phones and tablets using flash storage technology such as eMMC, UFS, and NVMe.  The RPMB protocol allows an attacker to replay stale write failure messages and write commands, leading to state confusion between a trusted component and the contents of an RPMB area. Additional details are available in [Replay Attack Vulnerabilities in RPMB Protocol Applications](https://www.westerndigital.com/support/productsecurity/wdc-20008-replay-attack-vulnerabilities-rpmb-protocol-applications).\r\n\r\n### Impact\r\nAn attacker with physical access to a device can cause a mismatch between the write state or contents of the RPMB area and a trusted component of the device. These mismatches can lead to the trusted component believing a write command failed when in fact it succeeded, or the trusted component believing that certain content was written when in fact different content (unmodified by the attacker) was written. Further implications depend on the specific device and use of RPMB. At least one affected vendor has confirmed that denial of service\r\n\r\n### Solution\r\nPlease see the Vendor Information section below. Further vendor information is available in [Replay Attack Vulnerabilities in RPMB Protocol Applications](https://www.westerndigital.com/support/productsecurity/wdc-20008-replay-attack-vulnerabilities-rpmb-protocol-applications).\r\n\r\n### Acknowledgements\r\nRotem Sela and Brian Mastenbrook of Western Digital identified this vulnerability. Western Digital coordinated its disclosure with the affected vendors. Thanks [Western Digital PSIRT](https://www.westerndigital.com/support/productsecurity)!\r\n\r\nThis document was written by Eric Hatleback.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/231329"},{"url":"https://www.westerndigital.com/support/productsecurity/wdc-20008-replay-attack-vulnerabilities-rpmb-protocol-applications","summary":"https://www.westerndigital.com/support/productsecurity/wdc-20008-replay-attack-vulnerabilities-rpmb-protocol-applications"},{"url":"https://documents.westerndigital.com/content/dam/doc-library/en_us/assets/public/western-digital/collateral/white-paper/white-paper-replay-protected-memory-block-protocol-vulernabilities.pdf","summary":"https://documents.westerndigital.com/content/dam/doc-library/en_us/assets/public/western-digital/collateral/white-paper/white-paper-replay-protected-memory-block-protocol-vulernabilities.pdf"},{"url":"https://documents.westerndigital.com/content/dam/doc-library/en_us/assets/public/western-digital/collateral/white-paper/white-paper-emmc-security.pdf","summary":"https://documents.westerndigital.com/content/dam/doc-library/en_us/assets/public/western-digital/collateral/white-paper/white-paper-emmc-security.pdf"},{"url":"https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00391.html","summary":"https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00391.html"}],"title":"Replay Protected Memory Block (RPMB) protocol does not adequately defend against replay attacks","tracking":{"current_release_date":"2020-11-16T19:08:09+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#231329","initial_release_date":"2020-11-10 21:39:26.335054+00:00","revision_history":[{"date":"2020-11-16T19:08:09+00:00","number":"1.20201116190809.3","summary":"Released on 2020-11-16T19:08:09+00:00"}],"status":"final","version":"1.20201116190809.3"}},"vulnerabilities":[{"title":"Intel's CVE.","notes":[{"category":"summary","text":"Intel's CVE."}],"cve":"CVE-2020-12355","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#231329"}],"product_status":{"known_affected":["CSAFPID-1d20cce8-39ef-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-1d200fba-39ef-11f1-8422-122e2785dc9f","CSAFPID-1d2050ba-39ef-11f1-8422-122e2785dc9f","CSAFPID-1d20914c-39ef-11f1-8422-122e2785dc9f"]}},{"title":"Google's CVE.","notes":[{"category":"summary","text":"Google's CVE."}],"cve":"CVE-2020-0436","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#231329"}],"product_status":{"known_affected":["CSAFPID-1d21e27c-39ef-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-1d2152bc-39ef-11f1-8422-122e2785dc9f","CSAFPID-1d218a16-39ef-11f1-8422-122e2785dc9f","CSAFPID-1d2215a8-39ef-11f1-8422-122e2785dc9f"]}},{"title":"Western Digital's CVE for the issue.","notes":[{"category":"summary","text":"Western Digital's CVE for the issue."}],"cve":"CVE-2020-13799","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#231329"}],"product_status":{"known_affected":["CSAFPID-1d22b986-39ef-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-1d227d72-39ef-11f1-8422-122e2785dc9f","CSAFPID-1d22e294-39ef-11f1-8422-122e2785dc9f","CSAFPID-1d231a34-39ef-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"Western Digital Technologies","product":{"name":"Western Digital Technologies Products","product_id":"CSAFPID-1d200fba-39ef-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"MediaTek","product":{"name":"MediaTek Products","product_id":"CSAFPID-1d2050ba-39ef-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Google","product":{"name":"Google Products","product_id":"CSAFPID-1d20914c-39ef-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Intel","product":{"name":"Intel Products","product_id":"CSAFPID-1d20cce8-39ef-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Western Digital Technologies","product":{"name":"Western Digital Technologies Products","product_id":"CSAFPID-1d2152bc-39ef-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"MediaTek","product":{"name":"MediaTek Products","product_id":"CSAFPID-1d218a16-39ef-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Google","product":{"name":"Google Products","product_id":"CSAFPID-1d21e27c-39ef-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Intel","product":{"name":"Intel Products","product_id":"CSAFPID-1d2215a8-39ef-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Western Digital Technologies","product":{"name":"Western Digital Technologies Products","product_id":"CSAFPID-1d227d72-39ef-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"MediaTek","product":{"name":"MediaTek Products","product_id":"CSAFPID-1d22b986-39ef-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Google","product":{"name":"Google Products","product_id":"CSAFPID-1d22e294-39ef-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Intel","product":{"name":"Intel Products","product_id":"CSAFPID-1d231a34-39ef-11f1-8422-122e2785dc9f"}}]}}