Vulnerability Details : CVE-2023-31127
libspdm is a sample implementation that follows the DMTF SPDM specifications. A vulnerability has been identified in SPDM session establishment in libspdm prior to version 2.3.1. If a device supports both DHE session and PSK session with mutual
authentication, the attacker may be able to establish the session with `KEY_EXCHANGE` and `PSK_FINISH` to bypass the mutual authentication. This is most likely to happen when the Requester begins a session using one method (DHE, for example) and then uses the other method's finish (PSK_FINISH in this example) to establish the session. The session hashes would be expected to fail in this case, but the condition was not detected.
This issue only impacts the SPDM responder, which supports `KEY_EX_CAP=1 and `PSK_CAP=10b` at same time with mutual authentication requirement. The SPDM requester is not impacted. The SPDM responder is not impacted if `KEY_EX_CAP=0` or `PSK_CAP=0` or `PSK_CAP=01b`. The SPDM responder is not impacted if mutual authentication is not required.
libspdm 1.0, 2.0, 2.1, 2.2, 2.3 are all impacted. Older branches are not maintained, but users of the 2.3 branch may receive a patch in version 2.3.2. The SPDM specification (DSP0274) does not contain this vulnerability.
Vulnerability category: BypassGain privilege
Products affected by CVE-2023-31127
- cpe:2.3:a:dmtf:libspdm:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-31127
0.14%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 51 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-31127
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST | |
9.0
|
CRITICAL | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
2.3
|
6.0
|
GitHub, Inc. |
CWE ids for CVE-2023-31127
-
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)
-
The product does not properly determine which state it is in, causing it to assume it is in state X when in fact it is in state Y, causing it to perform incorrect operations in a security-relevant manner.Assigned by: security-advisories@github.com (Secondary)
References for CVE-2023-31127
-
https://github.com/DMTF/libspdm/pull/2006
Add handshake mode switch check in FINISH and PSK_FINISH. by jyao1 · Pull Request #2006 · DMTF/libspdm · GitHubPatch
-
https://github.com/DMTF/libspdm/security/advisories/GHSA-qw76-4v8p-xq9f
DMTF-2023-0001: SPDM mutual authentication bypass · Advisory · DMTF/libspdm · GitHubVendor Advisory
-
https://github.com/DMTF/libspdm/pull/2007
Add handshake mode switch check in FINISH and PSK_FINISH. by jyao1 · Pull Request #2007 · DMTF/libspdm · GitHubPatch
Jump to