CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-43637 – Vault Key Partially Predetermined
https://notcve.org/view.php?id=CVE-2023-43637
21 Sep 2023 — Due to the implementation of "deriveVaultKey", prior to version 7.10, the generated vault key would always have the last 16 bytes predetermined to be "arfoobarfoobarfo". This issue happens because "deriveVaultKey" calls "retrieveCloudKey" (which will always return "foobarfoobarfoobarfoobarfoobarfo" as the key), and then merges the 32byte randomly generated key with this key (by takeing 16bytes from each, see "mergeKeys"). This makes the key a lot weaker. This issue does not persist in devices that were init... • https://asrg.io/security-advisories/cve-2023-43637 • CWE-321: Use of Hard-coded Cryptographic Key CWE-798: Use of Hard-coded Credentials •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-43633 – Debug Functions Unlockable Without Triggering Measured Boot
https://notcve.org/view.php?id=CVE-2023-43633
21 Sep 2023 — On boot, the Pillar eve container checks for the existence and content of “/config/GlobalConfig/global.json”. If the file exists, it overrides the existing configuration on the device on boot. This allows an attacker to change the system’s configuration, which also includes some debug functions. This could be used to unlock the ssh with custom “authorized_keys” via the “debug.enable.ssh” key, similar to the “authorized_keys” finding that was noted before. Other usages include unlocking the usb to enable the... • https://asrg.io/security-advisories/cve-2023-43633 • CWE-522: Insufficiently Protected Credentials CWE-922: Insecure Storage of Sensitive Information •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-43634 – Config Partition Not Protected by Measured Boot
https://notcve.org/view.php?id=CVE-2023-43634
21 Sep 2023 — When sealing/unsealing the “vault” key, a list of PCRs is used, which defines which PCRs are used. In a previous project, CYMOTIVE found that the configuration is not protected by the secure boot, and in response Zededa implemented measurements on the config partition that was mapped to PCR 13. In that process, PCR 13 was added to the list of PCRs that seal/unseal the key. In commit “56e589749c6ff58ded862d39535d43253b249acf”, the config partition measurement moved from PCR 13 to PCR 14, but PCR 14 was not a... • https://asrg.io/security-advisories/cve-2023-43634 • CWE-522: Insufficiently Protected Credentials CWE-922: Insecure Storage of Sensitive Information •