Lucene search

RedhatCVE-2021-3505

HistoryApr 19, 2021 - 9:15 p.m.

CVE-2021-3505

2021-04-1921:15:13

CWE-331

redhat

web.nvd.nist.gov

cve-2021-3505

libtpms

tpm 2

key creation algorithm

data confidentiality

vulnerability

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

5.2

Confidence

High

EPSS

0.001

Percentile

21.7%

JSON

A flaw was found in libtpms in versions before 0.8.0. The TPM 2 implementation returns 2048 bit keys with ~1984 bit strength due to a bug in the TCG specification. The bug is in the key creation algorithm in RsaAdjustPrimeCandidate(), which is called before the prime number check. The highest threat from this vulnerability is to data confidentiality.

Affected configurations

Nvd

Vulners

Node

libtpms_projectlibtpmsRange<0.8.0

Node

redhatenterprise_linuxMatch8.0advanced_virtualization

Node

fedoraprojectfedoraMatch33

VendorProductVersionCPE
libtpms_projectlibtpms*cpe:2.3:a:libtpms_project:libtpms:*:*:*:*:*:*:*:*
redhatenterprise_linux8.0cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:advanced_virtualization:*:*:*
fedoraprojectfedora33cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
libtpms_project	libtpms	*	cpe:2.3:a:libtpms_project:libtpms::::::::
redhat	enterprise_linux	8.0	cpe:2.3:o:redhat:enterprise_linux:8.0::::advanced_virtualization:::
fedoraproject	fedora	33	cpe:2.3:o:fedoraproject:fedora:33:::::::*

CNA Affected

[
  {
    "product": "libtpms",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "libtpms 0.8.0"
      }
    ]
  }
]