Bug 1976806 (CVE-2021-3623) - CVE-2021-3623 libtpms: out-of-bounds access when trying to resume the state of the vTPM
Summary: CVE-2021-3623 libtpms: out-of-bounds access when trying to resume the state o...
Keywords:
Status: NEW
Alias: CVE-2021-3623
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 1976811 1976814 1976815 1976816
Blocks: 1975674 1976821
TreeView+ depends on / blocked
 
Reported: 2021-06-28 10:05 UTC by Mauro Matteo Cascella
Modified: 2023-07-07 08:28 UTC (History)
4 users (show)

Fixed In Version: libtpms 0.6.5, libtpms 0.7.8, libtpms 0.8.4
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in libtpms. The flaw can be triggered by specially-crafted TPM 2 command packets containing illegal values and may lead to an out-of-bounds access when the volatile state of the TPM 2 is marshalled/written or unmarshalled/read. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Mauro Matteo Cascella 2021-06-28 10:05:32 UTC
A bug was discovered in the libtpms code that may cause access to a buffer beyond the boundary of the buffer or cause failures when trying to resume the state of the vTPM. The vulnerability can be triggered by specially-crafted TPM 2 command packets containing unacceptable/illegal values and those values become an issue when the volatile state of the TPM 2 is marshalled/written or unmarshalled/read. In the former case this can lead to a buffer access beyond its boundary and in the latter case to refusal to accept the state blob due to an illegal value.

To the best of our knowledge, the buffer access beyond its boundaries case does NOT lead to code execution, and as such, any exploitation is likely limited to information leakage and / or denial-of-service (DoS), i.e. a crash. Further, an attacker must have (indirect or direct) access to call TPMLIB_VolatileAll_Store to exploit this flaw.

Upstream PR:
https://github.com/stefanberger/libtpms/pull/223

Upstream fix:
https://github.com/stefanberger/libtpms/commit/2f30d62
https://github.com/stefanberger/libtpms/commit/7981d9a
https://github.com/stefanberger/libtpms/commit/2e6173c

Comment 2 Mauro Matteo Cascella 2021-06-28 10:16:26 UTC
Created libtpms tracking bugs for this issue:

Affects: fedora-all [bug 1976811]

Comment 6 Stefan Berger 2021-10-14 21:17:18 UTC
This bug has been fixed a while ago. I think this bugzilla can be closed.


Note You need to log in before you can comment on or make changes to this bug.