FKIE_CVE-2026-33697

Vulnerability from fkie_nvd - Published: 2026-03-27 00:16 - Updated: 2026-03-30 13:26
Severity ?
7.5 (High) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
Summary
Cocos AI is a confidential computing system for AI. The current implementation of attested TLS (aTLS) in CoCoS is vulnerable to a relay attack affecting all versions from v0.4.0 through v0.8.2. This vulnerability is present in both the AMD SEV-SNP and Intel TDX deployment targets supported by CoCoS. In the affected design, an attacker may be able to extract the ephemeral TLS private key used during the intra-handshake attestation. Because the attestation evidence is bound to the ephemeral key but not to the TLS channel, possession of that key is sufficient to relay or divert the attested TLS session. A client will accept the connection under false assumptions about the endpoint it is communicating with — the attestation report cannot distinguish the genuine attested service from the attacker's relay. This undermines the intended authentication guarantees of attested TLS. A successful attack may allow an attacker to impersonate an attested CoCoS service and access data or operations that the client intended to send only to the genuine attested endpoint. Exploitation requires the attacker to first extract the ephemeral TLS private key, which is possible through physical access to the server hardware, transient execution attacks, or side-channel attacks. Note that the aTLS implementation was fully redesigned in v0.7.0, but the redesign does not address this vulnerability. The relay attack weakness is architectural and affects all releases in the v0.4.0–v0.8.2 range. This vulnerability class was formally analyzed and demonstrated across multiple attested TLS implementations, including CoCoS, by researchers whose findings were disclosed to the IETF TLS Working Group. Formal verification was conducted using ProVerif. As of time of publication, there is no patch available. No complete workaround is available. The following hardening measures reduce but do not eliminate the risk: Keep TEE firmware and microcode up to date to reduce the key-extraction surface; define strict attestation policies that validate all available report fields, including firmware versions, TCB levels, and platform configuration registers; and/or enable mutual aTLS with CA-signed certificates where deployment architecture permits.
References
security-advisories@github.comhttps://github.com/ultravioletrs/cocos/security/advisories/GHSA-vfgg-mvxx-mgg7
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Cocos AI is a confidential computing system for AI. The current implementation of attested TLS (aTLS) in CoCoS is vulnerable to a relay attack affecting all versions from v0.4.0 through v0.8.2. This vulnerability is present in both the AMD SEV-SNP and Intel TDX deployment targets supported by CoCoS. In the affected design, an attacker may be able to extract the ephemeral TLS private key used during the intra-handshake attestation. Because the attestation evidence is bound to the ephemeral key but not to the TLS channel, possession of that key is sufficient to relay or divert the attested TLS session. A client will accept the connection under false assumptions about the endpoint it is communicating with \u2014 the attestation report cannot distinguish the genuine attested service from the attacker\u0027s relay. This undermines the intended authentication guarantees of attested TLS. A successful attack may allow an attacker to impersonate an attested CoCoS service and access data or operations that the client intended to send only to the genuine attested endpoint. Exploitation requires the attacker to first extract the ephemeral TLS private key, which is possible through physical access to the server hardware, transient execution attacks, or side-channel attacks. Note that the aTLS implementation was fully redesigned in v0.7.0, but the redesign does not address this vulnerability. The relay attack weakness is architectural and affects all releases in the v0.4.0\u2013v0.8.2 range. This vulnerability class was formally analyzed and demonstrated across multiple attested TLS implementations, including CoCoS, by researchers whose findings were disclosed to the IETF TLS Working Group. Formal verification was conducted using ProVerif. As of time of publication, there is no patch available. No complete workaround is available. The following hardening measures reduce but do not eliminate the risk: Keep TEE firmware and microcode up to date to reduce the key-extraction surface; define strict attestation policies that validate all available report fields, including firmware versions, TCB levels, and platform configuration registers; and/or enable mutual aTLS with CA-signed certificates where deployment architecture permits."
    },
    {
      "lang": "es",
      "value": "Cocos AI es un sistema de computaci\u00f3n confidencial para IA. La implementaci\u00f3n actual de TLS atestiguado (aTLS) en CoCoS es vulnerable a un ataque de retransmisi\u00f3n que afecta a todas las versiones desde la v0.4.0 hasta la v0.8.2. Esta vulnerabilidad est\u00e1 presente tanto en los objetivos de despliegue AMD SEV-SNP como Intel TDX soportados por CoCoS. En el dise\u00f1o afectado, un atacante podr\u00eda ser capaz de extraer la clave privada ef\u00edmera de TLS utilizada durante la atestaci\u00f3n intra-handshake. Debido a que la evidencia de atestaci\u00f3n est\u00e1 ligada a la clave ef\u00edmera pero no al canal TLS, la posesi\u00f3n de esa clave es suficiente para retransmitir o desviar la sesi\u00f3n TLS atestiguada. Un cliente aceptar\u00e1 la conexi\u00f3n bajo suposiciones falsas sobre el endpoint con el que se est\u00e1 comunicando \u2014 el informe de atestaci\u00f3n no puede distinguir el servicio atestiguado genuino del retransmisor del atacante. Esto socava las garant\u00edas de autenticaci\u00f3n previstas de TLS atestiguado. Un ataque exitoso podr\u00eda permitir a un atacante suplantar un servicio CoCoS atestiguado y acceder a datos u operaciones que el cliente pretend\u00eda enviar solo al endpoint atestiguado genuino. La explotaci\u00f3n requiere que el atacante extraiga primero la clave privada ef\u00edmera de TLS, lo cual es posible a trav\u00e9s del acceso f\u00edsico al hardware del servidor, ataques de ejecuci\u00f3n transitoria o ataques de canal lateral. Tenga en cuenta que la implementaci\u00f3n de aTLS fue completamente redise\u00f1ada en la v0.7.0, pero el redise\u00f1o no aborda esta vulnerabilidad. La debilidad del ataque de retransmisi\u00f3n es arquitect\u00f3nica y afecta a todas las versiones en el rango v0.4.0\u2013v0.8.2. Esta clase de vulnerabilidad fue analizada formalmente y demostrada en m\u00faltiples implementaciones de TLS atestiguado, incluyendo CoCoS, por investigadores cuyos hallazgos fueron divulgados al Grupo de Trabajo de TLS del IETF. La verificaci\u00f3n formal se realiz\u00f3 utilizando ProVerif. A partir del momento de la publicaci\u00f3n, no hay parche disponible. No hay soluci\u00f3n alternativa completa disponible. Las siguientes medidas de endurecimiento reducen pero no eliminan el riesgo: Mantenga el firmware y el microc\u00f3digo de TEE actualizados para reducir la superficie de extracci\u00f3n de claves; defina pol\u00edticas de atestaci\u00f3n estrictas que validen todos los campos de informe disponibles, incluyendo versiones de firmware, niveles de TCB y registros de configuraci\u00f3n de plataforma; y/o habilite aTLS mutuo con certificados firmados por CA donde la arquitectura de despliegue lo permita."
    }
  ],
  "id": "CVE-2026-33697",
  "lastModified": "2026-03-30T13:26:29.793",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.1,
        "impactScore": 5.8,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-27T00:16:23.133",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/ultravioletrs/cocos/security/advisories/GHSA-vfgg-mvxx-mgg7"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-322"
        },
        {
          "lang": "en",
          "value": "CWE-346"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.