Bug 2065024 (CVE-2022-1053)
Summary: | CVE-2022-1053 keylime: Tenant and Verifier might not use the same registrar data | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | TEJ RATHI <trathi> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED UPSTREAM | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | ansasaki, dueno, lhinds, mpeters, scorreia, security-response-team |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | keylime 6.4.0 | Doc Type: | If docs needed, set a value |
Doc Text: |
Keylime does not enforce that the agent registrar data is the same when the tenant uses it for validation of the EK and identity quote and the verifier for validating the integrity quote. This allows an attacker to use one AK, EK pair from a real TPM to pass EK validation and give the verifier an AK of a software TPM.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2022-05-05 18:15:20 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2082162 | ||
Bug Blocks: | 2082413 |
Description
TEJ RATHI
2022-03-17 06:57:14 UTC
lifting embargo as it is public now. Ref: https://github.com/keylime/keylime/security/advisories/GHSA-jf66-3q76-h5p5 Created keylime tracking bugs for this issue: Affects: fedora-all [bug 2082162] This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products. |