keylime fails to flag device as untrusted when signature does not validate

GHSA-g4wg-cfpf-9689 · CVE-2023-3674 · PYSEC-2023-128

Published Jul 19, 2023 · Modified Feb 15, 2025

Description

A flaw was found in the keylime attestation verifier, which fails to flag a device's submitted TPM quote as faulty when the quote's signature does not validate for some reason. Instead, it will only emit an error in the log without flagging the device as untrusted.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2023-3674
WEB https://github.com/keylime/keylime/commit/95ce3d86bd2c53009108ffda2dcf553312d733db
WEB https://access.redhat.com/errata/RHSA-2024:1139
WEB https://access.redhat.com/security/cve/CVE-2023-3674
WEB https://bugzilla.redhat.com/show_bug.cgi?id=2222903
PACKAGE https://github.com/keylime/keylime
WEB https://github.com/pypa/advisory-database/tree/main/vulns/keylime/PYSEC-2023-128.yaml

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes