CVE-2023-43630 (GCVE-0-2023-43630)

Vulnerability from cvelistv5 – Published: 2023-09-20 14:37 – Updated: 2024-09-24 18:34
VLAI?
Title
Config Partition Not Measured From 2 Fronts
Summary
PCR14 is not in the list of PCRs that seal/unseal the “vault” key, but due to the change that was implemented in commit “7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4”, fixing this issue alone would not solve the problem of the config partition not being measured correctly. Also, the “vault” key is sealed/unsealed with SHA1 PCRs instead of SHA256. This issue was somewhat mitigated due to all of the PCR extend functions updating both the values of SHA256 and SHA1 for a given PCR ID. However, due to the change that was implemented in commit “7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4”, this is no longer the case for PCR14, as the code in “measurefs.go” explicitly updates only the SHA256 instance of PCR14, which means that even if PCR14 were to be added to the list of PCRs sealing/unsealing the “vault” key, changes to the config partition would still not be measured. An attacker could modify the config partition without triggering the measured boot, this could result in the attacker gaining full control over the device with full access to the contents of the encrypted “vault”
Severity ?
8.8 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE
  • CWE-522 - Insufficiently Protected Credentials
  • CWE-922 - Insecure Storage of Sensitive Information
  • CWE-328 - Use of Weak Hash
Assigner
References
Impacted products
Vendor Product Version
LF-Edge, Zededa EVE OS Affected: 9.0.0 , < 9.5.0 (release)
Create a notification for this product.
Credits
Ilay Levi
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T19:44:43.769Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://asrg.io/security-advisories/cve-2023-43630/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-43630",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-24T18:34:08.728174Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-24T18:34:19.821Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageName": "EVE OS",
          "product": "EVE OS",
          "programFiles": [
            "https://github.com/lf-edge/eve/blob/master/pkg/measure-config/src/measurefs.go",
            "https://github.com/lf-edge/eve/blob/master/pkg/pillar/evetpm/tpm.go"
          ],
          "repo": "https://github.com/lf-edge/eve",
          "vendor": " LF-Edge, Zededa",
          "versions": [
            {
              "lessThan": "9.5.0",
              "status": "affected",
              "version": "9.0.0",
              "versionType": "release"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "Ilay Levi"
        }
      ],
      "datePublic": "2023-09-20T14:35:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "PCR14 is not in the list of PCRs that seal/unseal the \u201cvault\u201d key, but\ndue to the change that was implemented in commit\n\u201c7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4\u201d, fixing this issue alone would not solve the\nproblem of the config partition not being measured correctly.\n\u003cbr\u003eAlso, the \u201cvault\u201d key is sealed/unsealed with SHA1 PCRs instead of\nSHA256. \u003cbr\u003eThis issue was somewhat mitigated due to all of the PCR extend functions\nupdating both the values of SHA256 and SHA1 for a given PCR ID.\n\u003cbr\u003eHowever, due to the change that was implemented in commit\n\u201c7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4\u201d, this is no longer the case for PCR14, as\nthe code in \u201cmeasurefs.go\u201d explicitly updates only the SHA256 instance of PCR14, which\nmeans that even if PCR14 were to be added to the list of PCRs sealing/unsealing the \u201cvault\u201d\nkey, changes to the config partition would still not be measured.\u003cbr\u003e\u003cbr\u003e\n\nAn attacker could modify the config partition without triggering the measured boot, this could\nresult in the attacker gaining full control over the device with full access to the contents of the\nencrypted \u201cvault\u201d \n\n\n\n\u003cbr\u003e"
            }
          ],
          "value": "PCR14 is not in the list of PCRs that seal/unseal the \u201cvault\u201d key, but\ndue to the change that was implemented in commit\n\u201c7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4\u201d, fixing this issue alone would not solve the\nproblem of the config partition not being measured correctly.\n\nAlso, the \u201cvault\u201d key is sealed/unsealed with SHA1 PCRs instead of\nSHA256. \nThis issue was somewhat mitigated due to all of the PCR extend functions\nupdating both the values of SHA256 and SHA1 for a given PCR ID.\n\nHowever, due to the change that was implemented in commit\n\u201c7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4\u201d, this is no longer the case for PCR14, as\nthe code in \u201cmeasurefs.go\u201d explicitly updates only the SHA256 instance of PCR14, which\nmeans that even if PCR14 were to be added to the list of PCRs sealing/unsealing the \u201cvault\u201d\nkey, changes to the config partition would still not be measured.\n\n\n\nAn attacker could modify the config partition without triggering the measured boot, this could\nresult in the attacker gaining full control over the device with full access to the contents of the\nencrypted \u201cvault\u201d \n\n\n\n\n"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-115",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-115 Authentication Bypass"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-522",
              "description": "CWE-522 Insufficiently Protected Credentials",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-922",
              "description": "CWE-922 Insecure Storage of Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-328",
              "description": "CWE-328 Use of Weak Hash",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-09-28T05:39:02.209Z",
        "orgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba",
        "shortName": "ASRG"
      },
      "references": [
        {
          "url": "https://asrg.io/security-advisories/cve-2023-43630/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Config Partition Not Measured From 2 Fronts",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba",
    "assignerShortName": "ASRG",
    "cveId": "CVE-2023-43630",
    "datePublished": "2023-09-20T14:37:44.564Z",
    "dateReserved": "2023-09-20T14:34:14.873Z",
    "dateUpdated": "2024-09-24T18:34:19.821Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://asrg.io/security-advisories/cve-2023-43630/\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T19:44:43.769Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-43630\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-24T18:34:08.728174Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-24T18:34:13.259Z\"}}], \"cna\": {\"title\": \"Config Partition Not Measured From 2 Fronts\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"user\": \"00000000-0000-4000-9000-000000000000\", \"value\": \"Ilay Levi\"}], \"impacts\": [{\"capecId\": \"CAPEC-115\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-115 Authentication Bypass\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/lf-edge/eve\", \"vendor\": \" LF-Edge, Zededa\", \"product\": \"EVE OS\", \"versions\": [{\"status\": \"affected\", \"version\": \"9.0.0\", \"lessThan\": \"9.5.0\", \"versionType\": \"release\"}], \"packageName\": \"EVE OS\", \"programFiles\": [\"https://github.com/lf-edge/eve/blob/master/pkg/measure-config/src/measurefs.go\", \"https://github.com/lf-edge/eve/blob/master/pkg/pillar/evetpm/tpm.go\"], \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2023-09-20T14:35:00.000Z\", \"references\": [{\"url\": \"https://asrg.io/security-advisories/cve-2023-43630/\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"PCR14 is not in the list of PCRs that seal/unseal the \\u201cvault\\u201d key, but\\ndue to the change that was implemented in commit\\n\\u201c7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4\\u201d, fixing this issue alone would not solve the\\nproblem of the config partition not being measured correctly.\\n\\nAlso, the \\u201cvault\\u201d key is sealed/unsealed with SHA1 PCRs instead of\\nSHA256. \\nThis issue was somewhat mitigated due to all of the PCR extend functions\\nupdating both the values of SHA256 and SHA1 for a given PCR ID.\\n\\nHowever, due to the change that was implemented in commit\\n\\u201c7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4\\u201d, this is no longer the case for PCR14, as\\nthe code in \\u201cmeasurefs.go\\u201d explicitly updates only the SHA256 instance of PCR14, which\\nmeans that even if PCR14 were to be added to the list of PCRs sealing/unsealing the \\u201cvault\\u201d\\nkey, changes to the config partition would still not be measured.\\n\\n\\n\\nAn attacker could modify the config partition without triggering the measured boot, this could\\nresult in the attacker gaining full control over the device with full access to the contents of the\\nencrypted \\u201cvault\\u201d \\n\\n\\n\\n\\n\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"PCR14 is not in the list of PCRs that seal/unseal the \\u201cvault\\u201d key, but\\ndue to the change that was implemented in commit\\n\\u201c7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4\\u201d, fixing this issue alone would not solve the\\nproblem of the config partition not being measured correctly.\\n\u003cbr\u003eAlso, the \\u201cvault\\u201d key is sealed/unsealed with SHA1 PCRs instead of\\nSHA256. \u003cbr\u003eThis issue was somewhat mitigated due to all of the PCR extend functions\\nupdating both the values of SHA256 and SHA1 for a given PCR ID.\\n\u003cbr\u003eHowever, due to the change that was implemented in commit\\n\\u201c7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4\\u201d, this is no longer the case for PCR14, as\\nthe code in \\u201cmeasurefs.go\\u201d explicitly updates only the SHA256 instance of PCR14, which\\nmeans that even if PCR14 were to be added to the list of PCRs sealing/unsealing the \\u201cvault\\u201d\\nkey, changes to the config partition would still not be measured.\u003cbr\u003e\u003cbr\u003e\\n\\nAn attacker could modify the config partition without triggering the measured boot, this could\\nresult in the attacker gaining full control over the device with full access to the contents of the\\nencrypted \\u201cvault\\u201d \\n\\n\\n\\n\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-522\", \"description\": \"CWE-522 Insufficiently Protected Credentials\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-922\", \"description\": \"CWE-922 Insecure Storage of Sensitive Information\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-328\", \"description\": \"CWE-328 Use of Weak Hash\"}]}], \"providerMetadata\": {\"orgId\": \"c15abc07-96a9-4d11-a503-5d621bfe42ba\", \"shortName\": \"ASRG\", \"dateUpdated\": \"2023-09-28T05:39:02.209Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-43630\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-24T18:34:19.821Z\", \"dateReserved\": \"2023-09-20T14:34:14.873Z\", \"assignerOrgId\": \"c15abc07-96a9-4d11-a503-5d621bfe42ba\", \"datePublished\": \"2023-09-20T14:37:44.564Z\", \"assignerShortName\": \"ASRG\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.