Versio.io

CVE-2022-1053

Common vulnerabilities & exposures (CVE)

CVE databaseCVE database blogpostRelease & EoL database
 
Published at: - 06-05-2022 07:15
Last modified: - 16-05-2022 08:38
Total changes: - 4

Description

Keylime does not enforce that the agent registrar data is the same when the tenant uses it for validation of the EK and identity quote and the verifier for validating the integrity quote. This allows an attacker to use one AK, EK pair from a real TPM to pass EK validation and give the verifier an AK of a software TPM. A successful attack breaks the entire chain of trust because a not validated AK is used by the verifier. This issue is worse if the validation happens first and then the agent gets added to the verifier because the timing is easier and the verifier does not validate the regcount entry being equal to 1,

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Low
Attack complexity
Network
Attack vector
None
Availability
High
Confidentiality
High
Integrity
None
Privileges required
Unchanged
Scope
None
User interaction
9.1
Base score
3.9
5.2
Exploitability score
Impact score
 

Verification logic

OR
OR
vendor=keylime AND product=keylime AND versionEndExcluding=6.4.0
OR
vendor=fedoraproject AND product=fedora AND version=34
vendor=fedoraproject AND product=fedora AND version=35
vendor=fedoraproject AND product=fedora AND version=36
 

Reference

 


Keywords

NVD

 

CVE-2022-1053

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures

 

We use cookies to ensure that we give you the best experience on our website. Read privacy policies for more information.