Bug 2222903 (CVE-2023-3674)

Summary: CVE-2023-3674 keylime: Attestation failure when the quote's signature does not validate
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ansasaki, dueno, ksrot, pkoncity, scorreia
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: keylime 7.2.5, keylime 7.3.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the keylime attestation verifier, which fails to flag a device's submitted TPM quote as faulty when the quote's signature does not validate for some reason. Instead, it will only emit an error in the log without flagging the device as untrusted.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2222908, 2222909    
Bug Blocks: 2222904    

Description Mauro Matteo Cascella 2023-07-14 12:26:17 UTC 
The keylime attestation verifier fails to flag a device's submitted TPM quote as faulty when the quote's signature does not validate for some reason. Instead, it will only emit an error in the log but not flag the device as being untrusted.

To exploit this bug, a non-privileged user would have to modify the keylime agent to create invalid quotes a could then use invalid measurement lists to hide the trust state of a system. He would then have to trick the administrator in using the user's modified keylime agent.

Upstream fix:
https://github.com/keylime/keylime/commit/95ce3d86bd2c53009108ffda2dcf553312d733db
Comment 1 Mauro Matteo Cascella 2023-07-14 12:40:38 UTC 
Created keylime tracking bugs for this issue:

Affects: fedora-all [bug 2222908]