Bug 1976806 (CVE-2021-3623)

Summary: CVE-2021-3623 libtpms: out-of-bounds access when trying to resume the state of the vTPM
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: davide, marcandre.lureau, stefanb, virt-maint
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libtpms 0.6.5, libtpms 0.7.8, libtpms 0.8.4 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in libtpms. The flaw can be triggered by specially-crafted TPM 2 command packets containing illegal values and may lead to an out-of-bounds access when the volatile state of the TPM 2 is marshalled/written or unmarshalled/read. The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1976811, 1976814, 1976815, 1976816    
Bug Blocks: 1975674, 1976821    

Description Mauro Matteo Cascella 2021-06-28 10:05:32 UTC 
A bug was discovered in the libtpms code that may cause access to a buffer beyond the boundary of the buffer or cause failures when trying to resume the state of the vTPM. The vulnerability can be triggered by specially-crafted TPM 2 command packets containing unacceptable/illegal values and those values become an issue when the volatile state of the TPM 2 is marshalled/written or unmarshalled/read. In the former case this can lead to a buffer access beyond its boundary and in the latter case to refusal to accept the state blob due to an illegal value.

To the best of our knowledge, the buffer access beyond its boundaries case does NOT lead to code execution, and as such, any exploitation is likely limited to information leakage and / or denial-of-service (DoS), i.e. a crash. Further, an attacker must have (indirect or direct) access to call TPMLIB_VolatileAll_Store to exploit this flaw.

Upstream PR:
https://github.com/stefanberger/libtpms/pull/223

Upstream fix:
https://github.com/stefanberger/libtpms/commit/2f30d62
https://github.com/stefanberger/libtpms/commit/7981d9a
https://github.com/stefanberger/libtpms/commit/2e6173c
Comment 2 Mauro Matteo Cascella 2021-06-28 10:16:26 UTC 
Created libtpms tracking bugs for this issue:

Affects: fedora-all [bug 1976811]
Comment 6 Stefan Berger 2021-10-14 21:17:18 UTC 
This bug has been fixed a while ago. I think this bugzilla can be closed.