2.8

CVE-2023-3674

EPSS 0.02%
Published 19.07.2023 19:15:12
Last modified 21.11.2024 08:17:48
Source secalert@redhat.com
Teams watchlist Login
Open Login

A flaw was found in the keylime attestation verifier, which fails to flag a device's submitted TPM quote as faulty when the quote's signature does not validate for some reason. Instead, it will only emit an error in the log without flagging the device as untrusted.

Affected products Warnungen 0 Metrics 3 CWE 1 References 7

Data is provided by the National Vulnerability Database (NVD)

Keylime ≫ Keylime Version < 7.2.5

Fedoraproject ≫ Fedora Version38

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.02%	0.041

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	2.8	1.3	1.4	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
secalert@redhat.com	2.3	0.8	1.4	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

CWE-1283 Mutable Attestation or Measurement Reporting Data

The register contents used for attestation or measurement reporting data to verify boot flow are modifiable by an adversary.

https://access.redhat.com/errata/RHSA-2024:1139

https://access.redhat.com/security/cve/CVE-2023-3674

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=2222903

Patch

Third Party Advisory

Issue Tracking

https://github.com/keylime/keylime/commit/95ce3d86bd2c53009108ffda2dcf553312d733db

Patch

https://nvd.nist.gov/vuln/detail/CVE-2023-3674

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-3674

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-3674

EUVD