CVE-2021-3623 : A flaw was found in libtpms. The flaw can be triggered by specially-crafted TPM 2 command packets containing illegal val

A flaw was found in libtpms. The flaw can be triggered by specially-crafted TPM 2 command packets containing illegal values and may lead to an out-of-bounds access when the volatile state of the TPM 2 is marshalled/written or unmarshalled/read. The highest threat from this vulnerability is to system availability.

Published 2022-03-02 23:15:09

Updated 2022-11-29 16:57:28

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: Memory Corruption

Exploit prediction scoring system (EPSS) score for CVE-2021-3623

Probability of exploitation activity in the next 30 days: 0.05%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 12 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2021-3623

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
3.6	LOW	AV:L/AC:L/Au:N/C:P/I:N/A:P	3.9	4.9	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: Partial
6.1	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H	1.8	4.2	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: High

CWE ids for CVE-2021-3623

CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.
Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)

References for CVE-2021-3623

https://github.com/stefanberger/libtpms/commit/2e6173c

tpm2: Restore original value if unmarsalled value was illegal · stefanberger/libtpms@2e6173c · GitHub
Patch;Third Party Advisory
https://github.com/stefanberger/libtpms/pull/223

Reset buffer size indicators that are too large and check for maximum size on marshalling by stefanberger · Pull Request #223 · stefanberger/libtpms · GitHub
Issue Tracking;Third Party Advisory
https://github.com/stefanberger/libtpms/commit/2f30d62

tpm2: Reset TPM2B buffer sizes after test fails for valid buffer size · stefanberger/libtpms@2f30d62 · GitHub
Patch;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z7KZSYMTE7Z4BBEZUWO2DIMQDWMGEP46/

[SECURITY] Fedora 34 Update: libtpms-0.8.4-1.20210624gita594c4692a.fc34.1 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://github.com/stefanberger/libtpms/commit/7981d9a

tpm2: Add maxSize parameter to TPM2B_Marshal for sanity checks · stefanberger/libtpms@7981d9a · GitHub
Patch;Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1976806

1976806 – (CVE-2021-3623) CVE-2021-3623 libtpms: out-of-bounds access when trying to resume the state of the vTPM
Issue Tracking;Patch;Third Party Advisory

Products affected by CVE-2021-3623

Redhat » Enterprise Linux » Version: 8.0 Advanced Virtualization Edition
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:advanced_virtualization:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 34
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
Matching versions
Libtpms Project » Libtpms
Versions from including (>=) 0.8.0 and before (<) 0.8.4
cpe:2.3:a:libtpms_project:libtpms:*:*:*:*:*:*:*:*
Matching versions
Libtpms Project » Libtpms
Versions from including (>=) 0.7.0 and before (<) 0.7.8
cpe:2.3:a:libtpms_project:libtpms:*:*:*:*:*:*:*:*
Matching versions
Libtpms Project » Libtpms
Versions before (<) 0.6.5
cpe:2.3:a:libtpms_project:libtpms:*:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2021-3623

Exploit prediction scoring system (EPSS) score for CVE-2021-3623

CVSS scores for CVE-2021-3623

CWE ids for CVE-2021-3623

References for CVE-2021-3623

Products affected by CVE-2021-3623