Vulnerability Details : CVE-2021-3623
A flaw was found in libtpms. The flaw can be triggered by specially-crafted TPM 2 command packets containing illegal values and may lead to an out-of-bounds access when the volatile state of the TPM 2 is marshalled/written or unmarshalled/read. The highest threat from this vulnerability is to system availability.
Vulnerability category: Memory Corruption
Exploit prediction scoring system (EPSS) score for CVE-2021-3623
Probability of exploitation activity in the next 30 days: 0.05%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 12 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2021-3623
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
3.6
|
LOW | AV:L/AC:L/Au:N/C:P/I:N/A:P |
3.9
|
4.9
|
NIST |
6.1
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H |
1.8
|
4.2
|
NIST |
CWE ids for CVE-2021-3623
-
The product writes data past the end, or before the beginning, of the intended buffer.Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)
References for CVE-2021-3623
-
https://github.com/stefanberger/libtpms/commit/2e6173c
tpm2: Restore original value if unmarsalled value was illegal · stefanberger/libtpms@2e6173c · GitHubPatch;Third Party Advisory
-
https://github.com/stefanberger/libtpms/pull/223
Reset buffer size indicators that are too large and check for maximum size on marshalling by stefanberger · Pull Request #223 · stefanberger/libtpms · GitHubIssue Tracking;Third Party Advisory
-
https://github.com/stefanberger/libtpms/commit/2f30d62
tpm2: Reset TPM2B buffer sizes after test fails for valid buffer size · stefanberger/libtpms@2f30d62 · GitHubPatch;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z7KZSYMTE7Z4BBEZUWO2DIMQDWMGEP46/
[SECURITY] Fedora 34 Update: libtpms-0.8.4-1.20210624gita594c4692a.fc34.1 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://github.com/stefanberger/libtpms/commit/7981d9a
tpm2: Add maxSize parameter to TPM2B_Marshal for sanity checks · stefanberger/libtpms@7981d9a · GitHubPatch;Third Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=1976806
1976806 – (CVE-2021-3623) CVE-2021-3623 libtpms: out-of-bounds access when trying to resume the state of the vTPMIssue Tracking;Patch;Third Party Advisory
Products affected by CVE-2021-3623
- cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:advanced_virtualization:*:*:*
- cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
- cpe:2.3:a:libtpms_project:libtpms:*:*:*:*:*:*:*:*
- cpe:2.3:a:libtpms_project:libtpms:*:*:*:*:*:*:*:*
- cpe:2.3:a:libtpms_project:libtpms:*:*:*:*:*:*:*:*