// For flags

CVE-2023-43630

Config Partition Not Measured From 2 Fronts

Severity Score

8.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track*
*SSVC
Descriptions

PCR14 is not in the list of PCRs that seal/unseal the “vault” key, but
due to the change that was implemented in commit
“7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4”, fixing this issue alone would not solve the
problem of the config partition not being measured correctly.

Also, the “vault” key is sealed/unsealed with SHA1 PCRs instead of
SHA256.
This issue was somewhat mitigated due to all of the PCR extend functions
updating both the values of SHA256 and SHA1 for a given PCR ID.

However, due to the change that was implemented in commit
“7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4”, this is no longer the case for PCR14, as
the code in “measurefs.go” explicitly updates only the SHA256 instance of PCR14, which
means that even if PCR14 were to be added to the list of PCRs sealing/unsealing the “vault”
key, changes to the config partition would still not be measured.



An attacker could modify the config partition without triggering the measured boot, this could
result in the attacker gaining full control over the device with full access to the contents of the
encrypted “vault”

PCR14 no está en la lista de PCRs que sella/abre la clave de “vault”, pero debido al cambio que se implementó en el commit “7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4”, solucionar este problema por sí solo no resolvería el problema de que la partición de configuración no se mida correctamente. Además, la clave de la "vault" se sella/se abre con PCRs SHA1 en lugar de SHA256. Este problema se mitigó en cierta medida debido a que todas las funciones de extensión de PCR actualizaron los valores de SHA256 y SHA1 para una ID de PCR determinada. Sin embargo, debido al cambio que se implementó en el commit "7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4", este ya no es el caso para PCR14, ya que el código en "measurefs.go" actualiza explícitamente solo la instancia SHA256 de PCR14, lo que significa que incluso si PCR14 fuera Si se agregara a la lista de PCRs que sellan o abren la clave de “vault”, los cambios en la partición de configuración aún no se medirían. Un atacante podría modificar la partición de configuración sin activar el arranque medido, lo que podría dar como resultado que el atacante obtenga control total sobre el dispositivo con acceso completo al contenido de la "vault" cifrada.

*Credits: Ilay Levi
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:Track*
Exploitation
None
Automatable
No
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2023-09-20 CVE Reserved
  • 2023-09-20 CVE Published
  • 2023-09-22 EPSS Updated
  • 2024-09-24 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-328: Use of Weak Hash
  • CWE-522: Insufficiently Protected Credentials
  • CWE-922: Insecure Storage of Sensitive Information
CAPEC
  • CAPEC-115: Authentication Bypass
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Linuxfoundation
Search vendor "Linuxfoundation"
 Edge Virtualization Engine
Search vendor "Linuxfoundation" for product "Edge Virtualization Engine"
 >= 9.0.0 < 9.5.0
Search vendor "Linuxfoundation" for product "Edge Virtualization Engine" and version " >= 9.0.0 < 9.5.0"
-
Affected