Lucene search

K

GitHub Advisory DatabaseGHSA-G4WG-CFPF-9689

HistoryJul 19, 2023 - 9:30 p.m.

keylime fails to flag device as untrusted when signature does not validate

2023-07-1921:30:23

CWE-1283

GitHub Advisory Database

github.com

5

keylime

attestation verifier

device

untrusted

signature validation

2.8 Low

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

0.0004 Low

EPSS

Percentile

15.5%

A flaw was found in the keylime attestation verifier, which fails to flag a device’s submitted TPM quote as faulty when the quote’s signature does not validate for some reason. Instead, it will only emit an error in the log without flagging the device as untrusted.

Affected configurations

Vulners

Node

keylimekeylimeRange<7.2.5

CPENameOperatorVersion
keylimelt7.2.5

References

access.redhat.com/errata/RHSA-2024:1139

access.redhat.com/security/cve/CVE-2023-3674

bugzilla.redhat.com/show_bug.cgi?id=2222903

github.com/advisories/GHSA-g4wg-cfpf-9689

github.com/keylime/keylime/commit/95ce3d86bd2c53009108ffda2dcf553312d733db

github.com/pypa/advisory-database/tree/main/vulns/keylime/PYSEC-2023-128.yaml

nvd.nist.gov/vuln/detail/CVE-2023-3674

2.8 Low

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

0.0004 Low

EPSS

Percentile

15.5%

Related for GHSA-G4WG-CFPF-9689

almalinux1 osv5 redhat1 cvelist1 redhatcve1 rocky1 veracode1 nessus4 oraclelinux1 nvd1 prion1 cve1