CVE-2023-43630 (GCVE-0-2023-43630)
Vulnerability from cvelistv5
Published
2023-09-20 14:37
Modified
2024-09-24 18:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
PCR14 is not in the list of PCRs that seal/unseal the “vault” key, but
due to the change that was implemented in commit
“7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4”, fixing this issue alone would not solve the
problem of the config partition not being measured correctly.
Also, the “vault” key is sealed/unsealed with SHA1 PCRs instead of
SHA256.
This issue was somewhat mitigated due to all of the PCR extend functions
updating both the values of SHA256 and SHA1 for a given PCR ID.
However, due to the change that was implemented in commit
“7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4”, this is no longer the case for PCR14, as
the code in “measurefs.go” explicitly updates only the SHA256 instance of PCR14, which
means that even if PCR14 were to be added to the list of PCRs sealing/unsealing the “vault”
key, changes to the config partition would still not be measured.
An attacker could modify the config partition without triggering the measured boot, this could
result in the attacker gaining full control over the device with full access to the contents of the
encrypted “vault”
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| LF-Edge, Zededa | EVE OS |
Version: 9.0.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:44:43.769Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://asrg.io/security-advisories/cve-2023-43630/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-43630",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-24T18:34:08.728174Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-24T18:34:19.821Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "EVE OS",
"product": "EVE OS",
"programFiles": [
"https://github.com/lf-edge/eve/blob/master/pkg/measure-config/src/measurefs.go",
"https://github.com/lf-edge/eve/blob/master/pkg/pillar/evetpm/tpm.go"
],
"repo": "https://github.com/lf-edge/eve",
"vendor": " LF-Edge, Zededa",
"versions": [
{
"lessThan": "9.5.0",
"status": "affected",
"version": "9.0.0",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Ilay Levi"
}
],
"datePublic": "2023-09-20T14:35:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "PCR14 is not in the list of PCRs that seal/unseal the \u201cvault\u201d key, but\ndue to the change that was implemented in commit\n\u201c7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4\u201d, fixing this issue alone would not solve the\nproblem of the config partition not being measured correctly.\n\u003cbr\u003eAlso, the \u201cvault\u201d key is sealed/unsealed with SHA1 PCRs instead of\nSHA256. \u003cbr\u003eThis issue was somewhat mitigated due to all of the PCR extend functions\nupdating both the values of SHA256 and SHA1 for a given PCR ID.\n\u003cbr\u003eHowever, due to the change that was implemented in commit\n\u201c7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4\u201d, this is no longer the case for PCR14, as\nthe code in \u201cmeasurefs.go\u201d explicitly updates only the SHA256 instance of PCR14, which\nmeans that even if PCR14 were to be added to the list of PCRs sealing/unsealing the \u201cvault\u201d\nkey, changes to the config partition would still not be measured.\u003cbr\u003e\u003cbr\u003e\n\nAn attacker could modify the config partition without triggering the measured boot, this could\nresult in the attacker gaining full control over the device with full access to the contents of the\nencrypted \u201cvault\u201d \n\n\n\n\u003cbr\u003e"
}
],
"value": "PCR14 is not in the list of PCRs that seal/unseal the \u201cvault\u201d key, but\ndue to the change that was implemented in commit\n\u201c7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4\u201d, fixing this issue alone would not solve the\nproblem of the config partition not being measured correctly.\n\nAlso, the \u201cvault\u201d key is sealed/unsealed with SHA1 PCRs instead of\nSHA256. \nThis issue was somewhat mitigated due to all of the PCR extend functions\nupdating both the values of SHA256 and SHA1 for a given PCR ID.\n\nHowever, due to the change that was implemented in commit\n\u201c7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4\u201d, this is no longer the case for PCR14, as\nthe code in \u201cmeasurefs.go\u201d explicitly updates only the SHA256 instance of PCR14, which\nmeans that even if PCR14 were to be added to the list of PCRs sealing/unsealing the \u201cvault\u201d\nkey, changes to the config partition would still not be measured.\n\n\n\nAn attacker could modify the config partition without triggering the measured boot, this could\nresult in the attacker gaining full control over the device with full access to the contents of the\nencrypted \u201cvault\u201d \n\n\n\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522 Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-922",
"description": "CWE-922 Insecure Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-328",
"description": "CWE-328 Use of Weak Hash",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-28T05:39:02.209Z",
"orgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba",
"shortName": "ASRG"
},
"references": [
{
"url": "https://asrg.io/security-advisories/cve-2023-43630/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Config Partition Not Measured From 2 Fronts",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba",
"assignerShortName": "ASRG",
"cveId": "CVE-2023-43630",
"datePublished": "2023-09-20T14:37:44.564Z",
"dateReserved": "2023-09-20T14:34:14.873Z",
"dateUpdated": "2024-09-24T18:34:19.821Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2023-43630\",\"sourceIdentifier\":\"cve@asrg.io\",\"published\":\"2023-09-20T15:15:11.877\",\"lastModified\":\"2024-11-21T08:24:30.200\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"PCR14 is not in the list of PCRs that seal/unseal the \u201cvault\u201d key, but\\ndue to the change that was implemented in commit\\n\u201c7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4\u201d, fixing this issue alone would not solve the\\nproblem of the config partition not being measured correctly.\\n\\nAlso, the \u201cvault\u201d key is sealed/unsealed with SHA1 PCRs instead of\\nSHA256. \\nThis issue was somewhat mitigated due to all of the PCR extend functions\\nupdating both the values of SHA256 and SHA1 for a given PCR ID.\\n\\nHowever, due to the change that was implemented in commit\\n\u201c7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4\u201d, this is no longer the case for PCR14, as\\nthe code in \u201cmeasurefs.go\u201d explicitly updates only the SHA256 instance of PCR14, which\\nmeans that even if PCR14 were to be added to the list of PCRs sealing/unsealing the \u201cvault\u201d\\nkey, changes to the config partition would still not be measured.\\n\\n\\n\\nAn attacker could modify the config partition without triggering the measured boot, this could\\nresult in the attacker gaining full control over the device with full access to the contents of the\\nencrypted \u201cvault\u201d \\n\\n\\n\\n\\n\"},{\"lang\":\"es\",\"value\":\"PCR14 no est\u00e1 en la lista de PCRs que sella/abre la clave de \u201cvault\u201d, pero debido al cambio que se implement\u00f3 en el commit \u201c7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4\u201d, solucionar este problema por s\u00ed solo no resolver\u00eda el problema de que la partici\u00f3n de configuraci\u00f3n no se mida correctamente. Adem\u00e1s, la clave de la \\\"vault\\\" se sella/se abre con PCRs SHA1 en lugar de SHA256. Este problema se mitig\u00f3 en cierta medida debido a que todas las funciones de extensi\u00f3n de PCR actualizaron los valores de SHA256 y SHA1 para una ID de PCR determinada. Sin embargo, debido al cambio que se implement\u00f3 en el commit \\\"7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4\\\", este ya no es el caso para PCR14, ya que el c\u00f3digo en \\\"measurefs.go\\\" actualiza expl\u00edcitamente solo la instancia SHA256 de PCR14, lo que significa que incluso si PCR14 fuera Si se agregara a la lista de PCRs que sellan o abren la clave de \u201cvault\u201d, los cambios en la partici\u00f3n de configuraci\u00f3n a\u00fan no se medir\u00edan. Un atacante podr\u00eda modificar la partici\u00f3n de configuraci\u00f3n sin activar el arranque medido, lo que podr\u00eda dar como resultado que el atacante obtenga control total sobre el dispositivo con acceso completo al contenido de la \\\"vault\\\" cifrada.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cve@asrg.io\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.0,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.0,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"cve@asrg.io\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-328\"},{\"lang\":\"en\",\"value\":\"CWE-522\"},{\"lang\":\"en\",\"value\":\"CWE-922\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-522\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linuxfoundation:edge_virtualization_engine:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.0.0\",\"versionEndExcluding\":\"9.5.0\",\"matchCriteriaId\":\"D19A1245-092C-478C-BB01-23F91A227B3F\"}]}]}],\"references\":[{\"url\":\"https://asrg.io/security-advisories/cve-2023-43630/\",\"source\":\"cve@asrg.io\"},{\"url\":\"https://asrg.io/security-advisories/cve-2023-43630/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://asrg.io/security-advisories/cve-2023-43630/\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T19:44:43.769Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-43630\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-24T18:34:08.728174Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-24T18:34:13.259Z\"}}], \"cna\": {\"title\": \"Config Partition Not Measured From 2 Fronts\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"user\": \"00000000-0000-4000-9000-000000000000\", \"value\": \"Ilay Levi\"}], \"impacts\": [{\"capecId\": \"CAPEC-115\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-115 Authentication Bypass\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/lf-edge/eve\", \"vendor\": \" LF-Edge, Zededa\", \"product\": \"EVE OS\", \"versions\": [{\"status\": \"affected\", \"version\": \"9.0.0\", \"lessThan\": \"9.5.0\", \"versionType\": \"release\"}], \"packageName\": \"EVE OS\", \"programFiles\": [\"https://github.com/lf-edge/eve/blob/master/pkg/measure-config/src/measurefs.go\", \"https://github.com/lf-edge/eve/blob/master/pkg/pillar/evetpm/tpm.go\"], \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2023-09-20T14:35:00.000Z\", \"references\": [{\"url\": \"https://asrg.io/security-advisories/cve-2023-43630/\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"PCR14 is not in the list of PCRs that seal/unseal the \\u201cvault\\u201d key, but\\ndue to the change that was implemented in commit\\n\\u201c7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4\\u201d, fixing this issue alone would not solve the\\nproblem of the config partition not being measured correctly.\\n\\nAlso, the \\u201cvault\\u201d key is sealed/unsealed with SHA1 PCRs instead of\\nSHA256. \\nThis issue was somewhat mitigated due to all of the PCR extend functions\\nupdating both the values of SHA256 and SHA1 for a given PCR ID.\\n\\nHowever, due to the change that was implemented in commit\\n\\u201c7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4\\u201d, this is no longer the case for PCR14, as\\nthe code in \\u201cmeasurefs.go\\u201d explicitly updates only the SHA256 instance of PCR14, which\\nmeans that even if PCR14 were to be added to the list of PCRs sealing/unsealing the \\u201cvault\\u201d\\nkey, changes to the config partition would still not be measured.\\n\\n\\n\\nAn attacker could modify the config partition without triggering the measured boot, this could\\nresult in the attacker gaining full control over the device with full access to the contents of the\\nencrypted \\u201cvault\\u201d \\n\\n\\n\\n\\n\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"PCR14 is not in the list of PCRs that seal/unseal the \\u201cvault\\u201d key, but\\ndue to the change that was implemented in commit\\n\\u201c7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4\\u201d, fixing this issue alone would not solve the\\nproblem of the config partition not being measured correctly.\\n\u003cbr\u003eAlso, the \\u201cvault\\u201d key is sealed/unsealed with SHA1 PCRs instead of\\nSHA256. \u003cbr\u003eThis issue was somewhat mitigated due to all of the PCR extend functions\\nupdating both the values of SHA256 and SHA1 for a given PCR ID.\\n\u003cbr\u003eHowever, due to the change that was implemented in commit\\n\\u201c7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4\\u201d, this is no longer the case for PCR14, as\\nthe code in \\u201cmeasurefs.go\\u201d explicitly updates only the SHA256 instance of PCR14, which\\nmeans that even if PCR14 were to be added to the list of PCRs sealing/unsealing the \\u201cvault\\u201d\\nkey, changes to the config partition would still not be measured.\u003cbr\u003e\u003cbr\u003e\\n\\nAn attacker could modify the config partition without triggering the measured boot, this could\\nresult in the attacker gaining full control over the device with full access to the contents of the\\nencrypted \\u201cvault\\u201d \\n\\n\\n\\n\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-522\", \"description\": \"CWE-522 Insufficiently Protected Credentials\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-922\", \"description\": \"CWE-922 Insecure Storage of Sensitive Information\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-328\", \"description\": \"CWE-328 Use of Weak Hash\"}]}], \"providerMetadata\": {\"orgId\": \"c15abc07-96a9-4d11-a503-5d621bfe42ba\", \"shortName\": \"ASRG\", \"dateUpdated\": \"2023-09-28T05:39:02.209Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2023-43630\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-24T18:34:19.821Z\", \"dateReserved\": \"2023-09-20T14:34:14.873Z\", \"assignerOrgId\": \"c15abc07-96a9-4d11-a503-5d621bfe42ba\", \"datePublished\": \"2023-09-20T14:37:44.564Z\", \"assignerShortName\": \"ASRG\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…