CVE-2023-43637 – Vault Key Partially Predetermined
https://notcve.org/view.php?id=CVE-2023-43637
Due to the implementation of "deriveVaultKey", prior to version 7.10, the generated vault key would always have the last 16 bytes predetermined to be "arfoobarfoobarfo". This issue happens because "deriveVaultKey" calls "retrieveCloudKey" (which will always return "foobarfoobarfoobarfoobarfoobarfo" as the key), and then merges the 32byte randomly generated key with this key (by takeing 16bytes from each, see "mergeKeys"). This makes the key a lot weaker. This issue does not persist in devices that were initialized on/after version 7.10, but devices that were initialized before that and updated to a newer version still have this issue. Roll an update that enforces the full 32bytes key usage. Debido a la implementación de "deriveVaultKey", antes de la versión 7.10, la clave de almacén generada siempre tendría los últimos 16 bytes predeterminados como "arfoobarfoobarfo". Este problema ocurre porque "deriveVaultKey" llama a "retrieveCloudKey" (que siempre devolverá "foobarfoobarfoobarfoobarfoobarfo" como clave) y luego fusiona la clave de 32 bytes generada aleatoriamente con esta clave (tomando 16 bytes de cada una, consulte "mergeKeys"). Esto debilita mucho la clave. Este problema no persiste en los dispositivos que se inicializaron en la versión 7.10 o posteriores, pero los dispositivos que se inicializaron antes y se actualizaron a una versión más reciente aún tienen este problema. • https://asrg.io/security-advisories/cve-2023-43637 • CWE-321: Use of Hard-coded Cryptographic Key CWE-798: Use of Hard-coded Credentials •
CVE-2023-43633 – Debug Functions Unlockable Without Triggering Measured Boot
https://notcve.org/view.php?id=CVE-2023-43633
On boot, the Pillar eve container checks for the existence and content of “/config/GlobalConfig/global.json”. If the file exists, it overrides the existing configuration on the device on boot. This allows an attacker to change the system’s configuration, which also includes some debug functions. This could be used to unlock the ssh with custom “authorized_keys” via the “debug.enable.ssh” key, similar to the “authorized_keys” finding that was noted before. Other usages include unlocking the usb to enable the keyboard via the “debug.enable.usb” key, allowing VNC access via the “app.allow.vnc” key, and more. An attacker could easily enable these debug functionalities without triggering the “measured boot” mechanism implemented by EVE OS, and without marking the device as “UUD” (“Unknown Update Detected”). This is because the “/config” partition is not protected by “measured boot”, it is mutable and it is not encrypted in any way. An attacker can gain full control over the device without changing the PCR values, thereby not triggering the “measured boot” mechanism, and having full access to the vault. Note: This issue was partially fixed in these commits (after disclosure to Zededa), where the config partition measurement was added to PCR13: • aa3501d6c57206ced222c33aea15a9169d629141 • 5fef4d92e75838cc78010edaed5247dfbdae1889. This issue was made viable in version 9.0.0 when the calculation was moved to PCR14 but it was not included in the measured boot. Al arrancar, el contenedor Pillar eve comprueba la existencia y el contenido de “/config/GlobalConfig/global.json”. Si el archivo existe, anula la configuración existente en el dispositivo al arrancar. Esto permite a un atacante cambiar la configuración del sistema, que también incluye algunas funciones de depuración. Esto podría usarse para desbloquear el ssh con “claves_autorizadas” personalizadas a través de la clave “debug.enable.ssh”, similar al hallazgo de “claves_autorizadas” que se señaló anteriormente. • https://asrg.io/security-advisories/cve-2023-43633 • CWE-522: Insufficiently Protected Credentials CWE-922: Insecure Storage of Sensitive Information •
CVE-2023-43634 – Config Partition Not Protected by Measured Boot
https://notcve.org/view.php?id=CVE-2023-43634
When sealing/unsealing the “vault” key, a list of PCRs is used, which defines which PCRs are used. In a previous project, CYMOTIVE found that the configuration is not protected by the secure boot, and in response Zededa implemented measurements on the config partition that was mapped to PCR 13. In that process, PCR 13 was added to the list of PCRs that seal/unseal the key. In commit “56e589749c6ff58ded862d39535d43253b249acf”, the config partition measurement moved from PCR 13 to PCR 14, but PCR 14 was not added to the list of PCRs that seal/unseal the key. This change makes the measurement of PCR 14 effectively redundant as it would not affect the sealing/unsealing of the key. An attacker could modify the config partition without triggering the measured boot, this could result in the attacker gaining full control over the device with full access to the contents of the encrypted “vault” Al sellar/abrir la clave de “vault”, se utiliza una lista de PCRs, que define qué PCRs se utilizan. En un proyecto anterior, CYMOTIVE descubrió que la configuración no está protegida por el arranque seguro y, en respuesta, Zededa implementó medidas en la partición de configuración que estaba asignada a PCR 13. En ese proceso, PCR 13 se agregó a la lista de PCRs que sellan /abrir la llave. En el commit “56e589749c6ff58ded862d39535d43253b249acf”, la medición de la partición de configuración pasó de PCR 13 a PCR 14, pero PCR 14 no se agregó a la lista de PCR que sellan/abren la clave. Este cambio hace que la medición de PCR 14 sea efectivamente redundante ya que no afectaría el sellado/abrir de la llave. • https://asrg.io/security-advisories/cve-2023-43634 • CWE-522: Insufficiently Protected Credentials CWE-922: Insecure Storage of Sensitive Information •
CVE-2018-8097
https://notcve.org/view.php?id=CVE-2018-8097
io/mongo/parser.py in Eve (aka pyeve) before 0.7.5 allows remote attackers to execute arbitrary code via Code Injection in the where parameter. io/mongo/parser.py en Eve (también conocido como pyeve), en versiones anteriores a la 0.7.5, permite que atacantes remotos ejecuten código arbitrario mediante inyección de código en el parámetro where. • https://github.com/SilentVoid13/CVE-2018-8097 https://github.com/pyeve/eve/commit/f8f7019ffdf9b4e05faf95e1f04e204aa4c91f98 https://github.com/pyeve/eve/issues/1101 • CWE-94: Improper Control of Generation of Code ('Code Injection') •