Bug 2222903 (CVE-2023-3674) - CVE-2023-3674 keylime: Attestation failure when the quote's signature does not validate
Summary: CVE-2023-3674 keylime: Attestation failure when the quote's signature does no...
Keywords:
Status: NEW
Alias: CVE-2023-3674
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2222908 2222909
Blocks: 2222904
TreeView+ depends on / blocked
 
Reported: 2023-07-14 12:26 UTC by Mauro Matteo Cascella
Modified: 2023-07-17 20:31 UTC (History)
5 users (show)

Fixed In Version: keylime 7.2.5, keylime 7.3.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the keylime attestation verifier, which fails to flag a device's submitted TPM quote as faulty when the quote's signature does not validate for some reason. Instead, it will only emit an error in the log without flagging the device as untrusted.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Mauro Matteo Cascella 2023-07-14 12:26:17 UTC 
The keylime attestation verifier fails to flag a device's submitted TPM quote as faulty when the quote's signature does not validate for some reason. Instead, it will only emit an error in the log but not flag the device as being untrusted.

To exploit this bug, a non-privileged user would have to modify the keylime agent to create invalid quotes a could then use invalid measurement lists to hide the trust state of a system. He would then have to trick the administrator in using the user's modified keylime agent.

Upstream fix:
https://github.com/keylime/keylime/commit/95ce3d86bd2c53009108ffda2dcf553312d733db
Comment 1 Mauro Matteo Cascella 2023-07-14 12:40:38 UTC 
Created keylime tracking bugs for this issue:

Affects: fedora-all [bug 2222908]
Note You need to log in before you can comment on or make changes to this bug.