Go-Attestation Improper Input Validation with attacker-controlled TPM Quote
GHSA-99cg-575x-774p · CVE-2022-0317 · GO-2022-0294
Published · Modified
Description
Impact
An improper input validation vulnerability in go-attestation before 0.4.0 allows local users to provide a maliciously-formed Quote over no/some PCRs, causing AKPublic.Verify to succeed despite the inconsistency. Subsequent use of the same set of PCR values in Eventlog.Verify lacks the authentication performed by quote verification, meaning a local attacker could couple this vulnerability with a maliciously-crafted TCG log in Eventlog.Verify to spoof events in the TCG log, hence defeating remotely-attested measured-boot.
Patches
This issue is resolved in version 0.4.0. If your usage of this library verifies PCRs using multiple quotes, make sure to use the new method AKPublic.VerifyAll() instead of AKPublic.Verify.
References
- WEB https://github.com/google/go-attestation/security/advisories/GHSA-99cg-575x-774p
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2022-0317
- WEB https://github.com/google/go-attestation/commit/82f2c9c2c76e1d3691d17ee78116d1d93a123788
- WEB https://github.com/google/go-attestation
- WEB https://pkg.go.dev/vuln/GO-2022-0294
Ready to move
Start Securing
Free, no credit card | First findings in minutes