CVE-2021-3505

2021-04-1921:15:13

Debian Security Bug Tracker

security-tracker.debian.org

libtpms

tpm 2

data confidentiality

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

21.7%

JSON

A flaw was found in libtpms in versions before 0.8.0. The TPM 2 implementation returns 2048 bit keys with ~1984 bit strength due to a bug in the TCG specification. The bug is in the key creation algorithm in RsaAdjustPrimeCandidate(), which is called before the prime number check. The highest threat from this vulnerability is to data confidentiality.

OSVersionArchitecturePackageVersionFilename
Debian12alllibtpms< 0.8.0~dev1-1libtpms_0.8.0~dev1-1_all.deb
Debian999alllibtpms< 0.8.0~dev1-1libtpms_0.8.0~dev1-1_all.deb
Debian13alllibtpms< 0.8.0~dev1-1libtpms_0.8.0~dev1-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	libtpms	< 0.8.0~dev1-1	libtpms_0.8.0~dev1-1_all.deb
Debian	999	all	libtpms	< 0.8.0~dev1-1	libtpms_0.8.0~dev1-1_all.deb
Debian	13	all	libtpms	< 0.8.0~dev1-1	libtpms_0.8.0~dev1-1_all.deb