keylime fails to flag device as untrusted when signature does not validate

2023-07-1921:30:23

Google

osv.dev

keylime

attestation

verifier

device

untrusted

signature

validate

fault

software

2.8 Low

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

0.0004 Low

EPSS

Percentile

15.5%

JSON

A flaw was found in the keylime attestation verifier, which fails to flag a device’s submitted TPM quote as faulty when the quote’s signature does not validate for some reason. Instead, it will only emit an error in the log without flagging the device as untrusted.

CPENameOperatorVersion
keylimeeq6.8.0
keylimeeq6.4.2
keylimeeq6.5.2
keylimeeq6.5.1
keylimeeq6.4.3
keylimeeq6.4.0
keylimeeq6.3.1
keylimeeq6.6.0
keylimeeq6.5.3
keylimeeq6.4.1