CVE-2023-43634

Config Partition Not Protected by Measured Boot

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

When sealing/unsealing the “vault” key, a list of PCRs is used, which defines which PCRs
are used.

In a previous project, CYMOTIVE found that the configuration is not protected by the secure
boot, and in response Zededa implemented measurements on the config partition that was
mapped to PCR 13.

In that process, PCR 13 was added to the list of PCRs that seal/unseal the key.

In commit “56e589749c6ff58ded862d39535d43253b249acf”, the config partition
measurement moved from PCR 13 to PCR 14, but PCR 14 was not added to the list of
PCRs that seal/unseal the key.

This change makes the measurement of PCR 14 effectively redundant as it would not affect
the sealing/unsealing of the key.

An attacker could modify the config partition without triggering the measured boot, this could
result in the attacker gaining full control over the device with full access to the contents of the
encrypted “vault”

Al sellar/abrir la clave de “vault”, se utiliza una lista de PCRs, que define qué PCRs se utilizan. En un proyecto anterior, CYMOTIVE descubrió que la configuración no está protegida por el arranque seguro y, en respuesta, Zededa implementó medidas en la partición de configuración que estaba asignada a PCR 13. En ese proceso, PCR 13 se agregó a la lista de PCRs que sellan /abrir la llave. En el commit “56e589749c6ff58ded862d39535d43253b249acf”, la medición de la partición de configuración pasó de PCR 13 a PCR 14, pero PCR 14 no se agregó a la lista de PCR que sellan/abren la clave. Este cambio hace que la medición de PCR 14 sea efectivamente redundante ya que no afectaría el sellado/abrir de la llave. Un atacante podría modificar la partición de configuración sin activar el arranque medido, lo que podría dar como resultado que el atacante obtenga control total sobre el dispositivo con acceso completo al contenido de la "vault" cifrada.

*Credits: Ilay Levi

CVSS Scores

NISTv3.1 8.8

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-09-20 CVE Reserved
2023-09-21 CVE Published
2023-09-22 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-522: Insufficiently Protected Credentials
CWE-922: Insecure Storage of Sensitive Information

CAPEC

CAPEC-115: Authentication Bypass

References (1)

URL	Tag	Source
https://asrg.io/security-advisories/cve-2023-43634	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Lfedge Search vendor "Lfedge"		Eve Search vendor "Lfedge" for product "Eve"				< 8.6.0 Search vendor "Lfedge" for product "Eve" and version " < 8.6.0"		-		Affected
Lfedge Search vendor "Lfedge"		Eve Search vendor "Lfedge" for product "Eve"				>= 9.0.0 < 9.5.0 Search vendor "Lfedge" for product "Eve" and version " >= 9.0.0 < 9.5.0"		-		Affected