CVE-2023-43634

21.09.2023, 14:15

When sealing/unsealing the vault key, a list of PCRs is used, which defines which PCRs
are used.

In a previous project, CYMOTIVE found that the configuration is not protected by the secure
boot, and in response Zededa implemented measurements on the config partition that was
mapped to PCR 13.

In that process, PCR 13 was added to the list of PCRs that seal/unseal the key.

In commit 56e589749c6ff58ded862d39535d43253b249acf, the config partition
measurement moved from PCR 13 to PCR 14, but PCR 14 was not added to the list of
PCRs that seal/unseal the key.

This change makes the measurement of PCR 14 effectively redundant as it would not affect
the sealing/unsealing of the key.

An attacker could modify the config partition without triggering the measured boot, this could
result in the attacker gaining full control over the device with full access to the contents of the
encrypted vault

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
ASRG	CNA	8.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 5%

Vendor	Product	Version
lfedge	eve	𝑥 < 8.6.0
lfedge	eve	9.0.0 ≤ 𝑥 < 9.5.0

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-522 - Insufficiently Protected Credentials
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

References

https://asrg.io/security-advisories/cve-2023-43634/