First published: Wed Jul 12 2023(Updated: )
A flaw was found in the keylime attestation verifier, which fails to flag a device's submitted TPM quote as faulty when the quote's signature does not validate for some reason. Instead, it will only emit an error in the log without flagging the device as untrusted.
Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
pip/keylime | <7.2.5 | 7.2.5 |
Keylime Keylime | <7.2.5 | |
Fedoraproject Fedora | =38 | |
redhat/keylime | <7.2.5 | 7.2.5 |
redhat/keylime | <7.3.0 | 7.3.0 |
<7.2.5 | ||
=38 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2023-3674.
The severity of CVE-2023-3674 is low with a severity value of 2.3.
The keylime attestation verifier with versions up to 7.2.5 and 7.3.0 is affected by CVE-2023-3674.
To fix CVE-2023-3674, update the keylime attestation verifier to version 7.3.1 or later.
You can find more information about CVE-2023-3674 at the following references: [Reference 1](https://access.redhat.com/security/cve/CVE-2023-3674), [Reference 2](https://bugzilla.redhat.com/show_bug.cgi?id=2222903), [Reference 3](https://github.com/keylime/keylime/commit/95ce3d86bd2c53009108ffda2dcf553312d733db).