First published: Thu Mar 17 2022(Updated: )
Hello Team, please check the below report: -------- Keylime does not enforce that the agent registrar data is the same when the tenant uses it for validation of the EK and identity quote and the verifier for validating the integrity quote. This allows an attacker to use one AK, EK pair from a real TPM to pass EK validation and give the verifier an AK of a software TPM. Affects all versions of Keylime <6.4.0 Thanks
Credit: secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
pip/keylime | <6.4.0 | 6.4.0 |
Keylime Keylime | <6.4.0 | |
Fedoraproject Fedora | =34 | |
Fedoraproject Fedora | =35 | |
Fedoraproject Fedora | =36 | |
redhat/keylime | <6.4.0 | 6.4.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-1053 is a vulnerability in Keylime that allows an attacker to use one AK, EK pair from a real TPM to pass EK validation and give the verifier an AK.
CVE-2022-1053 has a severity score of 9.1, making it critical.
CVE-2022-1053 affects Keylime versions up to but excluding 6.4.0, Fedora versions 34, 35, and 36.
To fix CVE-2022-1053, update to Keylime version 6.4.0 or higher.
More information about CVE-2022-1053 can be found at the following references: [GitHub Advisory](https://github.com/keylime/keylime/security/advisories/GHSA-jf66-3q76-h5p5), [NVD](https://nvd.nist.gov/vuln/detail/CVE-2022-1053), [GitHub Commit](https://github.com/keylime/keylime/commit/bd5de712acdd77860e7dc58969181e16c7a8dc5d).