2.8

CVE-2023-3674

EPSS 0.02%
Veröffentlicht 19.07.2023 19:15:12
Zuletzt bearbeitet 21.11.2024 08:17:48
Quelle secalert@redhat.com
Teams Watchlist Login
Unerledigt Login

A flaw was found in the keylime attestation verifier, which fails to flag a device's submitted TPM quote as faulty when the quote's signature does not validate for some reason. Instead, it will only emit an error in the log without flagging the device as untrusted.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Keylime ≫ Keylime Version < 7.2.5

Fedoraproject ≫ Fedora Version38

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.041

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	2.8	1.3	1.4	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
secalert@redhat.com	2.3	0.8	1.4	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

CWE-1283 Mutable Attestation or Measurement Reporting Data

The register contents used for attestation or measurement reporting data to verify boot flow are modifiable by an adversary.

https://access.redhat.com/errata/RHSA-2024:1139

https://access.redhat.com/security/cve/CVE-2023-3674

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=2222903

Patch

Third Party Advisory

Issue Tracking

https://github.com/keylime/keylime/commit/95ce3d86bd2c53009108ffda2dcf553312d733db

Patch

https://nvd.nist.gov/vuln/detail/CVE-2023-3674

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-3674

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-3674

EUVD