PCI Express Delayed Posted Redirection Vulnerability in the Integrity and Data Encryption Specification
Vulnerability
A vulnerability exists in the PCI Express Integrity and Data Encryption (IDE) specification, specifically in versions 5.0 and later. The issue arises from inadequate guidance on re-keying and stream flushing during device rebinding, which may allow outdated write transactions from a previous security context to be processed in a new one. This could result in unintended data access across trusted domains, potentially compromising confidentiality and integrity.
Impact
Exploitation of this vulnerability could lead to unauthorized access to data or interference with data integrity between isolated environments, if the proper procedures are not followed.
Remediation
PCI-SIG members can review and implement the recommended changes by downloading the relevant Engineering Change Notification (ECN) from the PCI-SIG members' specification library. This document is for members only.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.