Vulnerabilites related to lfedge - eve
Vulnerability from fkie_nvd
Published
2023-09-21 14:15
Modified
2024-11-21 08:24
Severity ?
8.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Summary
When sealing/unsealing the “vault” key, a list of PCRs is used, which defines which PCRs
are used.
In a previous project, CYMOTIVE found that the configuration is not protected by the secure
boot, and in response Zededa implemented measurements on the config partition that was
mapped to PCR 13.
In that process, PCR 13 was added to the list of PCRs that seal/unseal the key.
In commit “56e589749c6ff58ded862d39535d43253b249acf”, the config partition
measurement moved from PCR 13 to PCR 14, but PCR 14 was not added to the list of
PCRs that seal/unseal the key.
This change makes the measurement of PCR 14 effectively redundant as it would not affect
the sealing/unsealing of the key.
An attacker could modify the config partition without triggering the measured boot, this could
result in the attacker gaining full control over the device with full access to the contents of the
encrypted “vault”
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@asrg.io | https://asrg.io/security-advisories/cve-2023-43634/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://asrg.io/security-advisories/cve-2023-43634/ | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:lfedge:eve:*:*:*:*:*:*:*:*",
"matchCriteriaId": "95D311A8-5FBD-49AF-AD11-8B78420BAEAE",
"versionEndExcluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:lfedge:eve:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A3648A14-186C-4E6A-AA73-7D2F5C78019D",
"versionEndExcluding": "9.5.0",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "\nWhen sealing/unsealing the \u201cvault\u201d key, a list of PCRs is used, which defines which PCRs\nare used.\n\nIn a previous project, CYMOTIVE found that the configuration is not protected by the secure\nboot, and in response Zededa implemented measurements on the config partition that was\nmapped to PCR 13.\n\nIn that process, PCR 13 was added to the list of PCRs that seal/unseal the key.\n\nIn commit \u201c56e589749c6ff58ded862d39535d43253b249acf\u201d, the config partition\nmeasurement moved from PCR 13 to PCR 14, but PCR 14 was not added to the list of\nPCRs that seal/unseal the key.\n\nThis change makes the measurement of PCR 14 effectively redundant as it would not affect\nthe sealing/unsealing of the key.\n\n\n\nAn attacker could modify the config partition without triggering the measured boot, this could\nresult in the attacker gaining full control over the device with full access to the contents of the\nencrypted \u201cvault\u201d\n\n\n\n\n"
},
{
"lang": "es",
"value": "Al sellar/abrir la clave de \u201cvault\u201d, se utiliza una lista de PCRs, que define qu\u00e9 PCRs se utilizan. En un proyecto anterior, CYMOTIVE descubri\u00f3 que la configuraci\u00f3n no est\u00e1 protegida por el arranque seguro y, en respuesta, Zededa implement\u00f3 medidas en la partici\u00f3n de configuraci\u00f3n que estaba asignada a PCR 13. En ese proceso, PCR 13 se agreg\u00f3 a la lista de PCRs que sellan /abrir la llave. En el commit \u201c56e589749c6ff58ded862d39535d43253b249acf\u201d, la medici\u00f3n de la partici\u00f3n de configuraci\u00f3n pas\u00f3 de PCR 13 a PCR 14, pero PCR 14 no se agreg\u00f3 a la lista de PCR que sellan/abren la clave. Este cambio hace que la medici\u00f3n de PCR 14 sea efectivamente redundante ya que no afectar\u00eda el sellado/abrir de la llave. Un atacante podr\u00eda modificar la partici\u00f3n de configuraci\u00f3n sin activar el arranque medido, lo que podr\u00eda dar como resultado que el atacante obtenga control total sobre el dispositivo con acceso completo al contenido de la \"vault\" cifrada."
}
],
"id": "CVE-2023-43634",
"lastModified": "2024-11-21T08:24:30.747",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.0,
"impactScore": 6.0,
"source": "cve@asrg.io",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.0,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-09-21T14:15:11.477",
"references": [
{
"source": "cve@asrg.io",
"tags": [
"Third Party Advisory"
],
"url": "https://asrg.io/security-advisories/cve-2023-43634/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://asrg.io/security-advisories/cve-2023-43634/"
}
],
"sourceIdentifier": "cve@asrg.io",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-522"
},
{
"lang": "en",
"value": "CWE-922"
}
],
"source": "cve@asrg.io",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-522"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-09-21 14:15
Modified
2024-11-21 08:24
Severity ?
8.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Summary
On boot, the Pillar eve container checks for the existence and content of
“/config/GlobalConfig/global.json”.
If the file exists, it overrides the existing configuration on the device on boot.
This allows an attacker to change the system’s configuration, which also includes some
debug functions.
This could be used to unlock the ssh with custom “authorized_keys” via the
“debug.enable.ssh” key, similar to the “authorized_keys” finding that was noted before.
Other usages include unlocking the usb to enable the keyboard via the “debug.enable.usb”
key, allowing VNC access via the “app.allow.vnc” key, and more.
An attacker could easily enable these debug functionalities without triggering the “measured
boot” mechanism implemented by EVE OS, and without marking the device as “UUD”
(“Unknown Update Detected”).
This is because the “/config” partition is not protected by “measured boot”, it is mutable and it
is not encrypted in any way.
An attacker can gain full control over the device without changing the PCR values, thereby not
triggering the “measured boot” mechanism, and having full access to the vault.
Note:
This issue was partially fixed in these commits (after disclosure to Zededa), where the config
partition measurement was added to PCR13:
• aa3501d6c57206ced222c33aea15a9169d629141
• 5fef4d92e75838cc78010edaed5247dfbdae1889.
This issue was made viable in version 9.0.0 when the calculation was moved to PCR14 but it was not included in the measured boot.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@asrg.io | https://asrg.io/security-advisories/cve-2023-43633/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://asrg.io/security-advisories/cve-2023-43633/ | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:lfedge:eve:*:*:*:*:*:*:*:*",
"matchCriteriaId": "95D311A8-5FBD-49AF-AD11-8B78420BAEAE",
"versionEndExcluding": "8.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:lfedge:eve:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A3648A14-186C-4E6A-AA73-7D2F5C78019D",
"versionEndExcluding": "9.5.0",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "\nOn boot, the Pillar eve container checks for the existence and content of\n\u201c/config/GlobalConfig/global.json\u201d.\n\nIf the file exists, it overrides the existing configuration on the device on boot.\n\nThis allows an attacker to change the system\u2019s configuration, which also includes some\ndebug functions.\n\nThis could be used to unlock the ssh with custom \u201cauthorized_keys\u201d via the\n\u201cdebug.enable.ssh\u201d key, similar to the \u201cauthorized_keys\u201d finding that was noted before.\n\nOther usages include unlocking the usb to enable the keyboard via the \u201cdebug.enable.usb\u201d\nkey, allowing VNC access via the \u201capp.allow.vnc\u201d key, and more.\n\nAn attacker could easily enable these debug functionalities without triggering the \u201cmeasured\nboot\u201d mechanism implemented by EVE OS, and without marking the device as \u201cUUD\u201d\n(\u201cUnknown Update Detected\u201d).\nThis is because the \u201c/config\u201d partition is not protected by \u201cmeasured boot\u201d, it is mutable and it\nis not encrypted in any way.\n\n\n\n\n\nAn attacker can gain full control over the device without changing the PCR values, thereby not\ntriggering the \u201cmeasured boot\u201d mechanism, and having full access to the vault.\n\n\n\n\nNote:\n\nThis issue was partially fixed in these commits (after disclosure to Zededa), where the config\npartition measurement was added to PCR13:\n\n\u2022 aa3501d6c57206ced222c33aea15a9169d629141\n\n\u2022 5fef4d92e75838cc78010edaed5247dfbdae1889.\n\nThis issue was made viable in version 9.0.0 when the calculation was moved to PCR14 but it was not included in the measured boot."
},
{
"lang": "es",
"value": "Al arrancar, el contenedor Pillar eve comprueba la existencia y el contenido de \u201c/config/GlobalConfig/global.json\u201d. Si el archivo existe, anula la configuraci\u00f3n existente en el dispositivo al arrancar. Esto permite a un atacante cambiar la configuraci\u00f3n del sistema, que tambi\u00e9n incluye algunas funciones de depuraci\u00f3n. Esto podr\u00eda usarse para desbloquear el ssh con \u201cclaves_autorizadas\u201d personalizadas a trav\u00e9s de la clave \u201cdebug.enable.ssh\u201d, similar al hallazgo de \u201cclaves_autorizadas\u201d que se se\u00f1al\u00f3 anteriormente. Otros usos incluyen desbloquear el USB para habilitar el teclado mediante la tecla \"\"debug.enable.usb\"\", permitir el acceso a VNC mediante la tecla \"\"app.allow.vnc\"\" y m\u00e1s. Un atacante podr\u00eda habilitar f\u00e1cilmente estas funcionalidades de depuraci\u00f3n sin activar el mecanismo de \"\"measured boot\"\" implementado por EVE OS y sin marcar el dispositivo como \"\"UUD\"\" (\"\"Actualizaci\u00f3n desconocida detectada\"\"). Esto se debe a que la partici\u00f3n \u201c/config\u201d no est\u00e1 protegida por \u201cmeasured boot\u201d, es mutable y no est\u00e1 cifrada de ninguna manera. Un atacante puede obtener control total sobre el dispositivo sin cambiar los valores de PCR, por lo que no activar\u00e1 el mecanismo de \"\"measured boot\"\" y tendr\u00e1 acceso completo a \"\"vault\"\". Nota: Este problema se solucion\u00f3 parcialmente en estos commits (despu\u00e9s de la divulgaci\u00f3n a Zededa), donde la medici\u00f3n de la partici\u00f3n de configuraci\u00f3n se agreg\u00f3 a PCR13: \n\u2022 aa3501d6c57206ced222c33aea15a9169d629141 \n\u2022 5fef4d92e75838cc78010edaed5247dfbdae1889. \nEste problema se hizo viable en la versi\u00f3n 9.0.0 cuando el c\u00e1lculo se traslad\u00f3 a PCR14, pero no se incluy\u00f3 en el \"\"measured boot\"\"."
}
],
"id": "CVE-2023-43633",
"lastModified": "2024-11-21T08:24:30.617",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.0,
"impactScore": 6.0,
"source": "cve@asrg.io",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.0,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-09-21T14:15:11.330",
"references": [
{
"source": "cve@asrg.io",
"tags": [
"Third Party Advisory"
],
"url": "https://asrg.io/security-advisories/cve-2023-43633/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://asrg.io/security-advisories/cve-2023-43633/"
}
],
"sourceIdentifier": "cve@asrg.io",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-522"
},
{
"lang": "en",
"value": "CWE-922"
}
],
"source": "cve@asrg.io",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-522"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-09-21 14:15
Modified
2024-11-21 08:24
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Due to the implementation of "deriveVaultKey", prior to version 7.10, the generated vault key
would always have the last 16 bytes predetermined to be "arfoobarfoobarfo".
This issue happens because "deriveVaultKey" calls "retrieveCloudKey" (which will always
return "foobarfoobarfoobarfoobarfoobarfo" as the key), and then merges the 32byte
randomly generated key with this key (by takeing 16bytes from each, see "mergeKeys").
This makes the key a lot weaker.
This issue does not persist in devices that were initialized on/after version 7.10, but devices
that were initialized before that and updated to a newer version still have this issue.
Roll an update that enforces the full 32bytes key usage.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@asrg.io | https://asrg.io/security-advisories/cve-2023-43637/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://asrg.io/security-advisories/cve-2023-43637/ | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:lfedge:eve:*:*:*:*:*:*:*:*",
"matchCriteriaId": "77901B8C-18E1-4B76-AC1C-C9219A0B4BA2",
"versionEndExcluding": "7.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "\nDue to the implementation of \"deriveVaultKey\", prior to version 7.10, the generated vault key\nwould always have the last 16 bytes predetermined to be \"arfoobarfoobarfo\".\n\nThis issue happens because \"deriveVaultKey\" calls \"retrieveCloudKey\" (which will always\nreturn \"foobarfoobarfoobarfoobarfoobarfo\" as the key), and then merges the 32byte\nrandomly generated key with this key (by takeing 16bytes from each, see \"mergeKeys\").\n\nThis makes the key a lot weaker.\n\nThis issue does not persist in devices that were initialized on/after version 7.10, but devices\nthat were initialized before that and updated to a newer version still have this issue.\n\n\n\nRoll an update that enforces the full 32bytes key usage.\n\n\n\n\n\n\n"
},
{
"lang": "es",
"value": "Debido a la implementaci\u00f3n de \"deriveVaultKey\", antes de la versi\u00f3n 7.10, la clave de almac\u00e9n generada siempre tendr\u00eda los \u00faltimos 16 bytes predeterminados como \"arfoobarfoobarfo\". Este problema ocurre porque \"deriveVaultKey\" llama a \"retrieveCloudKey\" (que siempre devolver\u00e1 \"foobarfoobarfoobarfoobarfoobarfo\" como clave) y luego fusiona la clave de 32 bytes generada aleatoriamente con esta clave (tomando 16 bytes de cada una, consulte \"mergeKeys\"). Esto debilita mucho la clave. Este problema no persiste en los dispositivos que se inicializaron en la versi\u00f3n 7.10 o posteriores, pero los dispositivos que se inicializaron antes y se actualizaron a una versi\u00f3n m\u00e1s reciente a\u00fan tienen este problema. Implemente una actualizaci\u00f3n que imponga el uso completo de la clave de 32 bytes."
}
],
"id": "CVE-2023-43637",
"lastModified": "2024-11-21T08:24:31.167",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.1,
"impactScore": 6.0,
"source": "cve@asrg.io",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-09-21T14:15:11.643",
"references": [
{
"source": "cve@asrg.io",
"tags": [
"Third Party Advisory"
],
"url": "https://asrg.io/security-advisories/cve-2023-43637/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://asrg.io/security-advisories/cve-2023-43637/"
}
],
"sourceIdentifier": "cve@asrg.io",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-321"
}
],
"source": "cve@asrg.io",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-798"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2023-43634 (GCVE-0-2023-43634)
Vulnerability from cvelistv5
Published
2023-09-21 13:05
Modified
2024-09-24 16:54
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
When sealing/unsealing the “vault” key, a list of PCRs is used, which defines which PCRs
are used.
In a previous project, CYMOTIVE found that the configuration is not protected by the secure
boot, and in response Zededa implemented measurements on the config partition that was
mapped to PCR 13.
In that process, PCR 13 was added to the list of PCRs that seal/unseal the key.
In commit “56e589749c6ff58ded862d39535d43253b249acf”, the config partition
measurement moved from PCR 13 to PCR 14, but PCR 14 was not added to the list of
PCRs that seal/unseal the key.
This change makes the measurement of PCR 14 effectively redundant as it would not affect
the sealing/unsealing of the key.
An attacker could modify the config partition without triggering the measured boot, this could
result in the attacker gaining full control over the device with full access to the contents of the
encrypted “vault”
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| LF-Edge, Zededa | EVE OS |
Version: 0 Version: 9.0.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:44:43.689Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://asrg.io/security-advisories/cve-2023-43634/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:o:lfedge:eve:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "eve",
"vendor": "lfedge",
"versions": [
{
"lessThan": "8.6.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "9.5.0",
"status": "affected",
"version": "9.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-43634",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-24T16:48:31.106489Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-24T16:54:58.431Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "EVE OS",
"product": "EVE OS",
"programFiles": [
"https://github.com/lf-edge/eve/tree/master/pkg/pillar/evetpm/tpm.go",
"https://github.com/lf-edge/eve/tree/master/pkg/grub/rootfs.go",
"https://github.com/lf-edge/eve/tree/master/pkg/measure-config/src/measurefs.go"
],
"repo": "https://github.com/lf-edge/eve",
"vendor": " LF-Edge, Zededa",
"versions": [
{
"lessThan": "8.6.0",
"status": "affected",
"version": "0",
"versionType": "release"
},
{
"lessThan": "9.5.0",
"status": "affected",
"version": "9.0.0",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Ilay Levi"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\nWhen sealing/unsealing the \u201cvault\u201d key, a list of PCRs is used, which defines which PCRs\nare used.\n\u003cbr\u003eIn a previous project, CYMOTIVE found that the configuration is not protected by the secure\nboot, and in response Zededa implemented measurements on the config partition that was\nmapped to PCR 13.\n\u003cbr\u003eIn that process, PCR 13 was added to the list of PCRs that seal/unseal the key.\n\u003cbr\u003eIn commit \u201c56e589749c6ff58ded862d39535d43253b249acf\u201d, the config partition\nmeasurement moved from PCR 13 to PCR 14, but PCR 14 was not added to the list of\nPCRs that seal/unseal the key.\n\u003cbr\u003eThis change makes the measurement of PCR 14 effectively redundant as it would not affect\nthe sealing/unsealing of the key.\u003cbr\u003e\u003cbr\u003e\n\nAn attacker could modify the config partition without triggering the measured boot, this could\nresult in the attacker gaining full control over the device with full access to the contents of the\nencrypted \u201cvault\u201d\n\n\n\n\u003cbr\u003e"
}
],
"value": "\nWhen sealing/unsealing the \u201cvault\u201d key, a list of PCRs is used, which defines which PCRs\nare used.\n\nIn a previous project, CYMOTIVE found that the configuration is not protected by the secure\nboot, and in response Zededa implemented measurements on the config partition that was\nmapped to PCR 13.\n\nIn that process, PCR 13 was added to the list of PCRs that seal/unseal the key.\n\nIn commit \u201c56e589749c6ff58ded862d39535d43253b249acf\u201d, the config partition\nmeasurement moved from PCR 13 to PCR 14, but PCR 14 was not added to the list of\nPCRs that seal/unseal the key.\n\nThis change makes the measurement of PCR 14 effectively redundant as it would not affect\nthe sealing/unsealing of the key.\n\n\n\nAn attacker could modify the config partition without triggering the measured boot, this could\nresult in the attacker gaining full control over the device with full access to the contents of the\nencrypted \u201cvault\u201d\n\n\n\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522 Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-922",
"description": "CWE-922 Insecure Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-28T05:35:08.666Z",
"orgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba",
"shortName": "ASRG"
},
"references": [
{
"url": "https://asrg.io/security-advisories/cve-2023-43634/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": " Config Partition Not Protected by Measured Boot",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba",
"assignerShortName": "ASRG",
"cveId": "CVE-2023-43634",
"datePublished": "2023-09-21T13:05:14.046Z",
"dateReserved": "2023-09-20T14:34:14.874Z",
"dateUpdated": "2024-09-24T16:54:58.431Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-43633 (GCVE-0-2023-43633)
Vulnerability from cvelistv5
Published
2023-09-21 13:08
Modified
2024-09-24 17:00
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
On boot, the Pillar eve container checks for the existence and content of
“/config/GlobalConfig/global.json”.
If the file exists, it overrides the existing configuration on the device on boot.
This allows an attacker to change the system’s configuration, which also includes some
debug functions.
This could be used to unlock the ssh with custom “authorized_keys” via the
“debug.enable.ssh” key, similar to the “authorized_keys” finding that was noted before.
Other usages include unlocking the usb to enable the keyboard via the “debug.enable.usb”
key, allowing VNC access via the “app.allow.vnc” key, and more.
An attacker could easily enable these debug functionalities without triggering the “measured
boot” mechanism implemented by EVE OS, and without marking the device as “UUD”
(“Unknown Update Detected”).
This is because the “/config” partition is not protected by “measured boot”, it is mutable and it
is not encrypted in any way.
An attacker can gain full control over the device without changing the PCR values, thereby not
triggering the “measured boot” mechanism, and having full access to the vault.
Note:
This issue was partially fixed in these commits (after disclosure to Zededa), where the config
partition measurement was added to PCR13:
• aa3501d6c57206ced222c33aea15a9169d629141
• 5fef4d92e75838cc78010edaed5247dfbdae1889.
This issue was made viable in version 9.0.0 when the calculation was moved to PCR14 but it was not included in the measured boot.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| LF-Edge, Zededa | EVE OS |
Version: 0 Version: 9.0.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:44:43.779Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://asrg.io/security-advisories/cve-2023-43633/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:o:lfedge:eve:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "eve",
"vendor": "lfedge",
"versions": [
{
"lessThan": "8.6.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "9.5.0",
"status": "affected",
"version": "9.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-43633",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-24T16:59:36.660433Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-24T17:00:40.426Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "EVE OS",
"product": "EVE OS",
"programFiles": [
"https://github.com/lf-edge/eve/tree/master/pkg/pillar/evetpm/tpm.go",
"https://github.com/lf-edge/eve/tree/master/pkg/grub/rootfs.cfg"
],
"repo": "https://github.com/lf-edge/eve",
"vendor": " LF-Edge, Zededa",
"versions": [
{
"lessThan": "8.6.0",
"status": "affected",
"version": "0",
"versionType": "release"
},
{
"lessThan": "9.5.0",
"status": "affected",
"version": "9.0.0",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Ilay Levi"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\nOn boot, the Pillar eve container checks for the existence and content of\n\u201c/config/GlobalConfig/global.json\u201d.\n\u003cbr\u003eIf the file exists, it overrides the existing configuration on the device on boot.\n\u003cbr\u003eThis allows an attacker to change the system\u2019s configuration, which also includes some\ndebug functions.\n\u003cbr\u003eThis could be used to unlock the ssh with custom \u201cauthorized_keys\u201d via the\n\u201cdebug.enable.ssh\u201d key, similar to the \u201cauthorized_keys\u201d finding that was noted before.\n\u003cbr\u003eOther usages include unlocking the usb to enable the keyboard via the \u201cdebug.enable.usb\u201d\nkey, allowing VNC access via the \u201capp.allow.vnc\u201d key, and more.\n\u003cbr\u003eAn attacker could easily enable these debug functionalities without triggering the \u201cmeasured\nboot\u201d mechanism implemented by EVE OS, and without marking the device as \u201cUUD\u201d\n(\u201cUnknown Update Detected\u201d).\nThis is because the \u201c/config\u201d partition is not protected by \u201cmeasured boot\u201d, it is mutable and it\nis not encrypted in any way.\u003cbr\u003e\u003cbr\u003e\n\n\n\nAn attacker can gain full control over the device without changing the PCR values, thereby not\ntriggering the \u201cmeasured boot\u201d mechanism, and having full access to the vault.\n\n\n\u003cbr\u003e\u003cbr\u003eNote:\n\u003cbr\u003eThis issue was partially fixed in these commits (after disclosure to Zededa), where the config\npartition measurement was added to PCR13:\n\u003cbr\u003e\u2022 aa3501d6c57206ced222c33aea15a9169d629141\n\u003cbr\u003e\u2022 5fef4d92e75838cc78010edaed5247dfbdae1889.\n\u003cbr\u003eThis issue was made viable in version 9.0.0 when the calculation was moved to PCR14 but it was not included in the measured boot."
}
],
"value": "\nOn boot, the Pillar eve container checks for the existence and content of\n\u201c/config/GlobalConfig/global.json\u201d.\n\nIf the file exists, it overrides the existing configuration on the device on boot.\n\nThis allows an attacker to change the system\u2019s configuration, which also includes some\ndebug functions.\n\nThis could be used to unlock the ssh with custom \u201cauthorized_keys\u201d via the\n\u201cdebug.enable.ssh\u201d key, similar to the \u201cauthorized_keys\u201d finding that was noted before.\n\nOther usages include unlocking the usb to enable the keyboard via the \u201cdebug.enable.usb\u201d\nkey, allowing VNC access via the \u201capp.allow.vnc\u201d key, and more.\n\nAn attacker could easily enable these debug functionalities without triggering the \u201cmeasured\nboot\u201d mechanism implemented by EVE OS, and without marking the device as \u201cUUD\u201d\n(\u201cUnknown Update Detected\u201d).\nThis is because the \u201c/config\u201d partition is not protected by \u201cmeasured boot\u201d, it is mutable and it\nis not encrypted in any way.\n\n\n\n\n\nAn attacker can gain full control over the device without changing the PCR values, thereby not\ntriggering the \u201cmeasured boot\u201d mechanism, and having full access to the vault.\n\n\n\n\nNote:\n\nThis issue was partially fixed in these commits (after disclosure to Zededa), where the config\npartition measurement was added to PCR13:\n\n\u2022 aa3501d6c57206ced222c33aea15a9169d629141\n\n\u2022 5fef4d92e75838cc78010edaed5247dfbdae1889.\n\nThis issue was made viable in version 9.0.0 when the calculation was moved to PCR14 but it was not included in the measured boot."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522 Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-922",
"description": "CWE-922 Insecure Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-28T05:33:11.251Z",
"orgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba",
"shortName": "ASRG"
},
"references": [
{
"url": "https://asrg.io/security-advisories/cve-2023-43633/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Debug Functions Unlockable Without Triggering Measured Boot",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba",
"assignerShortName": "ASRG",
"cveId": "CVE-2023-43633",
"datePublished": "2023-09-21T13:08:58.659Z",
"dateReserved": "2023-09-20T14:34:14.874Z",
"dateUpdated": "2024-09-24T17:00:40.426Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-43637 (GCVE-0-2023-43637)
Vulnerability from cvelistv5
Published
2023-09-21 13:20
Modified
2024-09-24 17:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-321 - Use of Hard-coded Cryptographic Key
Summary
Due to the implementation of "deriveVaultKey", prior to version 7.10, the generated vault key
would always have the last 16 bytes predetermined to be "arfoobarfoobarfo".
This issue happens because "deriveVaultKey" calls "retrieveCloudKey" (which will always
return "foobarfoobarfoobarfoobarfoobarfo" as the key), and then merges the 32byte
randomly generated key with this key (by takeing 16bytes from each, see "mergeKeys").
This makes the key a lot weaker.
This issue does not persist in devices that were initialized on/after version 7.10, but devices
that were initialized before that and updated to a newer version still have this issue.
Roll an update that enforces the full 32bytes key usage.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| LF-Edge, Zededa | EVE OS |
Version: 0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:44:43.811Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://asrg.io/security-advisories/cve-2023-43637/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:o:linuxfoundation:edge_virtualization_engine:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "edge_virtualization_engine",
"vendor": "linuxfoundation",
"versions": [
{
"lessThan": "7.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-43637",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-24T17:45:45.770173Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-24T17:48:30.086Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "EVE OS",
"product": "EVE OS",
"programFiles": [
"https://github.com/lf-edge/eve/tree/master/pkg/pillar/cmd/vaultmgr/vaultmgr.go",
"https://github.com/lf-edge/eve/tree/master/pkg/pillar/vault/key.go"
],
"repo": "https://github.com/lf-edge/eve",
"vendor": " LF-Edge, Zededa",
"versions": [
{
"lessThan": "7.10",
"status": "affected",
"version": "0",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Ilay Levi"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\nDue to the implementation of \"deriveVaultKey\", prior to version 7.10, the generated vault key\nwould always have the last 16 bytes predetermined to be \"arfoobarfoobarfo\".\n\u003cbr\u003eThis issue happens because \"deriveVaultKey\" calls \"retrieveCloudKey\" (which will always\nreturn \"foobarfoobarfoobarfoobarfoobarfo\" as the key), and then merges the 32byte\nrandomly generated key with this key (by takeing 16bytes from each, see \"mergeKeys\").\n\u003cbr\u003eThis makes the key a lot weaker.\n\u003cbr\u003eThis issue does not persist in devices that were initialized on/after version 7.10, but devices\nthat were initialized before that and updated to a newer version still have this issue.\u003cbr\u003e\u003cbr\u003e\n\nRoll an update that enforces the full 32bytes key usage.\n\n\n\n\n\n\u003cbr\u003e"
}
],
"value": "\nDue to the implementation of \"deriveVaultKey\", prior to version 7.10, the generated vault key\nwould always have the last 16 bytes predetermined to be \"arfoobarfoobarfo\".\n\nThis issue happens because \"deriveVaultKey\" calls \"retrieveCloudKey\" (which will always\nreturn \"foobarfoobarfoobarfoobarfoobarfo\" as the key), and then merges the 32byte\nrandomly generated key with this key (by takeing 16bytes from each, see \"mergeKeys\").\n\nThis makes the key a lot weaker.\n\nThis issue does not persist in devices that were initialized on/after version 7.10, but devices\nthat were initialized before that and updated to a newer version still have this issue.\n\n\n\nRoll an update that enforces the full 32bytes key usage.\n\n\n\n\n\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "CWE-321 Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-28T05:39:38.194Z",
"orgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba",
"shortName": "ASRG"
},
"references": [
{
"url": "https://asrg.io/security-advisories/cve-2023-43637/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Vault Key Partially Predetermined",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba",
"assignerShortName": "ASRG",
"cveId": "CVE-2023-43637",
"datePublished": "2023-09-21T13:20:05.473Z",
"dateReserved": "2023-09-20T14:34:14.875Z",
"dateUpdated": "2024-09-24T17:48:30.086Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}