CVE-2023-43634 (GCVE-0-2023-43634)
Vulnerability from cvelistv5
Published
2023-09-21 13:05
Modified
2024-09-24 16:54
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
When sealing/unsealing the “vault” key, a list of PCRs is used, which defines which PCRs
are used.
In a previous project, CYMOTIVE found that the configuration is not protected by the secure
boot, and in response Zededa implemented measurements on the config partition that was
mapped to PCR 13.
In that process, PCR 13 was added to the list of PCRs that seal/unseal the key.
In commit “56e589749c6ff58ded862d39535d43253b249acf”, the config partition
measurement moved from PCR 13 to PCR 14, but PCR 14 was not added to the list of
PCRs that seal/unseal the key.
This change makes the measurement of PCR 14 effectively redundant as it would not affect
the sealing/unsealing of the key.
An attacker could modify the config partition without triggering the measured boot, this could
result in the attacker gaining full control over the device with full access to the contents of the
encrypted “vault”
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| LF-Edge, Zededa | EVE OS |
Version: 0 Version: 9.0.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:44:43.689Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://asrg.io/security-advisories/cve-2023-43634/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:o:lfedge:eve:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "eve",
"vendor": "lfedge",
"versions": [
{
"lessThan": "8.6.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "9.5.0",
"status": "affected",
"version": "9.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-43634",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-24T16:48:31.106489Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-24T16:54:58.431Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "EVE OS",
"product": "EVE OS",
"programFiles": [
"https://github.com/lf-edge/eve/tree/master/pkg/pillar/evetpm/tpm.go",
"https://github.com/lf-edge/eve/tree/master/pkg/grub/rootfs.go",
"https://github.com/lf-edge/eve/tree/master/pkg/measure-config/src/measurefs.go"
],
"repo": "https://github.com/lf-edge/eve",
"vendor": " LF-Edge, Zededa",
"versions": [
{
"lessThan": "8.6.0",
"status": "affected",
"version": "0",
"versionType": "release"
},
{
"lessThan": "9.5.0",
"status": "affected",
"version": "9.0.0",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Ilay Levi"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\nWhen sealing/unsealing the \u201cvault\u201d key, a list of PCRs is used, which defines which PCRs\nare used.\n\u003cbr\u003eIn a previous project, CYMOTIVE found that the configuration is not protected by the secure\nboot, and in response Zededa implemented measurements on the config partition that was\nmapped to PCR 13.\n\u003cbr\u003eIn that process, PCR 13 was added to the list of PCRs that seal/unseal the key.\n\u003cbr\u003eIn commit \u201c56e589749c6ff58ded862d39535d43253b249acf\u201d, the config partition\nmeasurement moved from PCR 13 to PCR 14, but PCR 14 was not added to the list of\nPCRs that seal/unseal the key.\n\u003cbr\u003eThis change makes the measurement of PCR 14 effectively redundant as it would not affect\nthe sealing/unsealing of the key.\u003cbr\u003e\u003cbr\u003e\n\nAn attacker could modify the config partition without triggering the measured boot, this could\nresult in the attacker gaining full control over the device with full access to the contents of the\nencrypted \u201cvault\u201d\n\n\n\n\u003cbr\u003e"
}
],
"value": "\nWhen sealing/unsealing the \u201cvault\u201d key, a list of PCRs is used, which defines which PCRs\nare used.\n\nIn a previous project, CYMOTIVE found that the configuration is not protected by the secure\nboot, and in response Zededa implemented measurements on the config partition that was\nmapped to PCR 13.\n\nIn that process, PCR 13 was added to the list of PCRs that seal/unseal the key.\n\nIn commit \u201c56e589749c6ff58ded862d39535d43253b249acf\u201d, the config partition\nmeasurement moved from PCR 13 to PCR 14, but PCR 14 was not added to the list of\nPCRs that seal/unseal the key.\n\nThis change makes the measurement of PCR 14 effectively redundant as it would not affect\nthe sealing/unsealing of the key.\n\n\n\nAn attacker could modify the config partition without triggering the measured boot, this could\nresult in the attacker gaining full control over the device with full access to the contents of the\nencrypted \u201cvault\u201d\n\n\n\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522 Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-922",
"description": "CWE-922 Insecure Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-28T05:35:08.666Z",
"orgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba",
"shortName": "ASRG"
},
"references": [
{
"url": "https://asrg.io/security-advisories/cve-2023-43634/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": " Config Partition Not Protected by Measured Boot",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba",
"assignerShortName": "ASRG",
"cveId": "CVE-2023-43634",
"datePublished": "2023-09-21T13:05:14.046Z",
"dateReserved": "2023-09-20T14:34:14.874Z",
"dateUpdated": "2024-09-24T16:54:58.431Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2023-43634\",\"sourceIdentifier\":\"cve@asrg.io\",\"published\":\"2023-09-21T14:15:11.477\",\"lastModified\":\"2024-11-21T08:24:30.747\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"\\nWhen sealing/unsealing the \u201cvault\u201d key, a list of PCRs is used, which defines which PCRs\\nare used.\\n\\nIn a previous project, CYMOTIVE found that the configuration is not protected by the secure\\nboot, and in response Zededa implemented measurements on the config partition that was\\nmapped to PCR 13.\\n\\nIn that process, PCR 13 was added to the list of PCRs that seal/unseal the key.\\n\\nIn commit \u201c56e589749c6ff58ded862d39535d43253b249acf\u201d, the config partition\\nmeasurement moved from PCR 13 to PCR 14, but PCR 14 was not added to the list of\\nPCRs that seal/unseal the key.\\n\\nThis change makes the measurement of PCR 14 effectively redundant as it would not affect\\nthe sealing/unsealing of the key.\\n\\n\\n\\nAn attacker could modify the config partition without triggering the measured boot, this could\\nresult in the attacker gaining full control over the device with full access to the contents of the\\nencrypted \u201cvault\u201d\\n\\n\\n\\n\\n\"},{\"lang\":\"es\",\"value\":\"Al sellar/abrir la clave de \u201cvault\u201d, se utiliza una lista de PCRs, que define qu\u00e9 PCRs se utilizan. En un proyecto anterior, CYMOTIVE descubri\u00f3 que la configuraci\u00f3n no est\u00e1 protegida por el arranque seguro y, en respuesta, Zededa implement\u00f3 medidas en la partici\u00f3n de configuraci\u00f3n que estaba asignada a PCR 13. En ese proceso, PCR 13 se agreg\u00f3 a la lista de PCRs que sellan /abrir la llave. En el commit \u201c56e589749c6ff58ded862d39535d43253b249acf\u201d, la medici\u00f3n de la partici\u00f3n de configuraci\u00f3n pas\u00f3 de PCR 13 a PCR 14, pero PCR 14 no se agreg\u00f3 a la lista de PCR que sellan/abren la clave. Este cambio hace que la medici\u00f3n de PCR 14 sea efectivamente redundante ya que no afectar\u00eda el sellado/abrir de la llave. Un atacante podr\u00eda modificar la partici\u00f3n de configuraci\u00f3n sin activar el arranque medido, lo que podr\u00eda dar como resultado que el atacante obtenga control total sobre el dispositivo con acceso completo al contenido de la \\\"vault\\\" cifrada.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cve@asrg.io\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.0,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.0,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"cve@asrg.io\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-522\"},{\"lang\":\"en\",\"value\":\"CWE-922\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-522\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:lfedge:eve:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"8.6.0\",\"matchCriteriaId\":\"95D311A8-5FBD-49AF-AD11-8B78420BAEAE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:lfedge:eve:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.0.0\",\"versionEndExcluding\":\"9.5.0\",\"matchCriteriaId\":\"A3648A14-186C-4E6A-AA73-7D2F5C78019D\"}]}]}],\"references\":[{\"url\":\"https://asrg.io/security-advisories/cve-2023-43634/\",\"source\":\"cve@asrg.io\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://asrg.io/security-advisories/cve-2023-43634/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://asrg.io/security-advisories/cve-2023-43634/\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T19:44:43.689Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-43634\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-24T16:48:31.106489Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:o:lfedge:eve:*:*:*:*:*:*:*:*\"], \"vendor\": \"lfedge\", \"product\": \"eve\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"8.6.0\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"9.0.0\", \"lessThan\": \"9.5.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-24T16:54:53.062Z\"}}], \"cna\": {\"title\": \" Config Partition Not Protected by Measured Boot\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"user\": \"00000000-0000-4000-9000-000000000000\", \"value\": \"Ilay Levi\"}], \"impacts\": [{\"capecId\": \"CAPEC-115\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-115 Authentication Bypass\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/lf-edge/eve\", \"vendor\": \" LF-Edge, Zededa\", \"product\": \"EVE OS\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"8.6.0\", \"versionType\": \"release\"}, {\"status\": \"affected\", \"version\": \"9.0.0\", \"lessThan\": \"9.5.0\", \"versionType\": \"release\"}], \"packageName\": \"EVE OS\", \"programFiles\": [\"https://github.com/lf-edge/eve/tree/master/pkg/pillar/evetpm/tpm.go\", \"https://github.com/lf-edge/eve/tree/master/pkg/grub/rootfs.go\", \"https://github.com/lf-edge/eve/tree/master/pkg/measure-config/src/measurefs.go\"], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://asrg.io/security-advisories/cve-2023-43634/\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"\\nWhen sealing/unsealing the \\u201cvault\\u201d key, a list of PCRs is used, which defines which PCRs\\nare used.\\n\\nIn a previous project, CYMOTIVE found that the configuration is not protected by the secure\\nboot, and in response Zededa implemented measurements on the config partition that was\\nmapped to PCR 13.\\n\\nIn that process, PCR 13 was added to the list of PCRs that seal/unseal the key.\\n\\nIn commit \\u201c56e589749c6ff58ded862d39535d43253b249acf\\u201d, the config partition\\nmeasurement moved from PCR 13 to PCR 14, but PCR 14 was not added to the list of\\nPCRs that seal/unseal the key.\\n\\nThis change makes the measurement of PCR 14 effectively redundant as it would not affect\\nthe sealing/unsealing of the key.\\n\\n\\n\\nAn attacker could modify the config partition without triggering the measured boot, this could\\nresult in the attacker gaining full control over the device with full access to the contents of the\\nencrypted \\u201cvault\\u201d\\n\\n\\n\\n\\n\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\\n\\nWhen sealing/unsealing the \\u201cvault\\u201d key, a list of PCRs is used, which defines which PCRs\\nare used.\\n\u003cbr\u003eIn a previous project, CYMOTIVE found that the configuration is not protected by the secure\\nboot, and in response Zededa implemented measurements on the config partition that was\\nmapped to PCR 13.\\n\u003cbr\u003eIn that process, PCR 13 was added to the list of PCRs that seal/unseal the key.\\n\u003cbr\u003eIn commit \\u201c56e589749c6ff58ded862d39535d43253b249acf\\u201d, the config partition\\nmeasurement moved from PCR 13 to PCR 14, but PCR 14 was not added to the list of\\nPCRs that seal/unseal the key.\\n\u003cbr\u003eThis change makes the measurement of PCR 14 effectively redundant as it would not affect\\nthe sealing/unsealing of the key.\u003cbr\u003e\u003cbr\u003e\\n\\nAn attacker could modify the config partition without triggering the measured boot, this could\\nresult in the attacker gaining full control over the device with full access to the contents of the\\nencrypted \\u201cvault\\u201d\\n\\n\\n\\n\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-522\", \"description\": \"CWE-522 Insufficiently Protected Credentials\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-922\", \"description\": \"CWE-922 Insecure Storage of Sensitive Information\"}]}], \"providerMetadata\": {\"orgId\": \"c15abc07-96a9-4d11-a503-5d621bfe42ba\", \"shortName\": \"ASRG\", \"dateUpdated\": \"2023-09-28T05:35:08.666Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2023-43634\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-24T16:54:58.431Z\", \"dateReserved\": \"2023-09-20T14:34:14.874Z\", \"assignerOrgId\": \"c15abc07-96a9-4d11-a503-5d621bfe42ba\", \"datePublished\": \"2023-09-21T13:05:14.046Z\", \"assignerShortName\": \"ASRG\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…