CVE-2023-43630
Config Partition Not Measured From 2 Fronts
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
PCR14 is not in the list of PCRs that seal/unseal the “vault” key, but
due to the change that was implemented in commit
“7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4”, fixing this issue alone would not solve the
problem of the config partition not being measured correctly.
Also, the “vault” key is sealed/unsealed with SHA1 PCRs instead of
SHA256.
This issue was somewhat mitigated due to all of the PCR extend functions
updating both the values of SHA256 and SHA1 for a given PCR ID.
However, due to the change that was implemented in commit
“7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4”, this is no longer the case for PCR14, as
the code in “measurefs.go” explicitly updates only the SHA256 instance of PCR14, which
means that even if PCR14 were to be added to the list of PCRs sealing/unsealing the “vault”
key, changes to the config partition would still not be measured.
An attacker could modify the config partition without triggering the measured boot, this could
result in the attacker gaining full control over the device with full access to the contents of the
encrypted “vault”
PCR14 no está en la lista de PCRs que sella/abre la clave de “vault”, pero debido al cambio que se implementó en el commit “7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4”, solucionar este problema por sí solo no resolvería el problema de que la partición de configuración no se mida correctamente. Además, la clave de la "vault" se sella/se abre con PCRs SHA1 en lugar de SHA256. Este problema se mitigó en cierta medida debido a que todas las funciones de extensión de PCR actualizaron los valores de SHA256 y SHA1 para una ID de PCR determinada. Sin embargo, debido al cambio que se implementó en el commit "7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4", este ya no es el caso para PCR14, ya que el código en "measurefs.go" actualiza explícitamente solo la instancia SHA256 de PCR14, lo que significa que incluso si PCR14 fuera Si se agregara a la lista de PCRs que sellan o abren la clave de “vault”, los cambios en la partición de configuración aún no se medirían. Un atacante podría modificar la partición de configuración sin activar el arranque medido, lo que podría dar como resultado que el atacante obtenga control total sobre el dispositivo con acceso completo al contenido de la "vault" cifrada.
CVSS Scores
SSVC
- Decision:Track*
Timeline
- 2023-09-20 CVE Reserved
- 2023-09-20 CVE Published
- 2023-09-22 EPSS Updated
- 2024-09-24 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-328: Use of Weak Hash
- CWE-522: Insufficiently Protected Credentials
- CWE-922: Insecure Storage of Sensitive Information
CAPEC
- CAPEC-115: Authentication Bypass
References (1)
URL | Tag | Source |
---|---|---|
https://asrg.io/security-advisories/cve-2023-43630 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Linuxfoundation Search vendor "Linuxfoundation" | Edge Virtualization Engine Search vendor "Linuxfoundation" for product "Edge Virtualization Engine" | >= 9.0.0 < 9.5.0 Search vendor "Linuxfoundation" for product "Edge Virtualization Engine" and version " >= 9.0.0 < 9.5.0" | - |
Affected
|