CVSS: 6.5EPSS: 0%CPEs: 9EXPL: 0CVE-2023-38201 – Keylime: challenge-response protocol bypass during agent registration
https://notcve.org/view.php?id=CVE-2023-38201
A flaw was found in the Keylime registrar that could allow a bypass of the challenge-response protocol during agent registration. This issue may allow an attacker to impersonate an agent and hide the true status of a monitored machine if the fake agent is added to the verifier list by a legitimate user, resulting in a breach of the integrity of the registrar database. Se encontró una falla en el registrador de Keylime que podría permitir una omisión del protocolo de desafío-respuesta durante el registro del agente. Este problema puede permitir a un atacante suplantar a un agente y ocultar el verdadero estado de un equipo supervisado si un usuario legítimo agrega el agente falso a la lista de verificadores, lo que provoca una violación de la integridad de la base de datos del registrador. • https://access.redhat.com/errata/RHSA-2023:5080 https://access.redhat.com/security/cve/CVE-2023-38201 https://bugzilla.redhat.com/show_bug.cgi?id=2222693 https://github.com/keylime/keylime/commit/9e5ac9f25cd400b16d5969f531cee28290543f2a https://github.com/keylime/keylime/security/advisories/GHSA-f4r5-q63f-gcww https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZIZZB5NHNCS5D2AEH3ZAO6OQC72IK7WS • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 2.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-3674 – Keylime: attestation failure when the quote's signature does not validate
https://notcve.org/view.php?id=CVE-2023-3674
A flaw was found in the keylime attestation verifier, which fails to flag a device's submitted TPM quote as faulty when the quote's signature does not validate for some reason. Instead, it will only emit an error in the log without flagging the device as untrusted. • https://access.redhat.com/errata/RHSA-2024:1139 https://access.redhat.com/security/cve/CVE-2023-3674 https://bugzilla.redhat.com/show_bug.cgi?id=2222903 https://github.com/keylime/keylime/commit/95ce3d86bd2c53009108ffda2dcf553312d733db • CWE-1283: Mutable Attestation or Measurement Reporting Data •
CVSS: 5.1EPSS: 0%CPEs: 5EXPL: 0CVE-2022-3500 – keylime: exception handling and impedance match in tornado_requests
https://notcve.org/view.php?id=CVE-2022-3500
A vulnerability was found in keylime. This security issue happens in some circumstances, due to some improperly handled exceptions, there exists the possibility that a rogue agent could create errors on the verifier that stopped attestation attempts for that host leaving it in an attested state but not verifying that anymore. Se encontró una vulnerabilidad en keylime. Este problema de seguridad ocurre en algunas circunstancias, debido a algunas excepciones manejadas incorrectamente, existe la posibilidad de que un agente deshonesto pueda crear errores en el verificador que detuviera los intentos de atestación para ese host dejándolo en un estado atestado pero sin verificarlo más. A vulnerability was found in keylime. • https://access.redhat.com/security/cve/CVE-2022-3500 https://github.com/keylime/keylime/pull/1128 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PUTHMDVFNGGVPCNPOGULMJAAFEP7MEXP https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QX4XVCAUFGJ2I2NCTOKONTJGRJB2NBBT https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQH5CJRX65QYMQN5WGUKKKE3IRJBWG5Z https://bugzilla.redhat.com/show_bug.cgi?id=2135343 • CWE-248: Uncaught Exception •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-23952
https://notcve.org/view.php?id=CVE-2022-23952
In Keylime before 6.3.0, current keylime installer installs the keylime.conf file, which can contain sensitive data, as world-readable. En Keylime versiones anteriores a 6.3.0, el instalador actual de keylime instala el archivo keylime.conf, que puede contener datos confidenciales, como legible por el mundo • https://github.com/keylime/keylime/commit/883085d6a4bcea3012729014d5b8e15ecd65fc7c https://github.com/keylime/keylime/security/advisories/GHSA-fchm-5w2v-qfm8 https://seclists.org/oss-sec/2022/q1/101 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-23951
https://notcve.org/view.php?id=CVE-2022-23951
In Keylime before 6.3.0, quote responses from the agent can contain possibly untrusted ZIP data which can lead to zip bombs. En Keylime versiones anteriores a 6.3.0, las respuestas de cotización del agente pueden contener datos ZIP que no son confiables y que pueden conllevar a bombas zip • https://github.com/keylime/keylime/commit/6e44758b64b0ee13564fc46e807f4ba98091c355 https://github.com/keylime/keylime/security/advisories/GHSA-6xx7-m45w-76m2 https://seclists.org/oss-sec/2022/q1/101 • CWE-400: Uncontrolled Resource Consumption •