First published: Tue Jan 25 2022(Updated: )
### Impact An improper input validation vulnerability in go-attestation before 0.4.0 allows local users to provide a maliciously-formed Quote over no/some PCRs, causing `AKPublic.Verify` to succeed despite the inconsistency. Subsequent use of the same set of PCR values in `Eventlog.Verify` lacks the authentication performed by quote verification, meaning a local attacker could couple this vulnerability with a maliciously-crafted TCG log in `Eventlog.Verify` to spoof events in the TCG log, hence defeating remotely-attested measured-boot. ### Patches This issue is resolved in version 0.4.0. If your usage of this library verifies PCRs using multiple quotes, make sure to use the new method `AKPublic.VerifyAll()` instead of `AKPublic.Verify`.
Credit: cve-coordination@google.com cve-coordination@google.com
Affected Software | Affected Version | How to fix |
---|---|---|
go/github.com/google/go-attestation | <0.4.0 | 0.4.0 |
Google Go-attestation | <0.3.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this vulnerability is CVE-2022-0317.
The severity of CVE-2022-0317 is medium with a severity value of 4.
CVE-2022-0317 allows local users to provide a maliciously-formed Quote over no/some PCRs, causing `AKPublic.Verify` to succeed despite the inconsistency and subsequent use of the same set of PCR values in `Eventlog.Verify` lacks th…
The affected software is go-attestation before version 0.4.0.
To fix CVE-2022-0317, upgrade to version 0.4.0 of go-attestation.