Vulnerability Details : CVE-2023-3674
A flaw was found in the keylime attestation verifier, which fails to flag a device's submitted TPM quote as faulty when the quote's signature does not validate for some reason. Instead, it will only emit an error in the log without flagging the device as untrusted.
Products affected by CVE-2023-3674
- cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
- cpe:2.3:a:keylime:keylime:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-3674
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 12 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-3674
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
2.8
|
LOW | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N |
1.3
|
1.4
|
NIST | |
2.3
|
LOW | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N |
0.8
|
1.4
|
Red Hat, Inc. |
CWE ids for CVE-2023-3674
-
The register contents used for attestation or measurement reporting data to verify boot flow are modifiable by an adversary.Assigned by: secalert@redhat.com (Secondary)
References for CVE-2023-3674
-
https://github.com/keylime/keylime/commit/95ce3d86bd2c53009108ffda2dcf553312d733db
tpm_util: Replace a logger.error with an Exception in case of invalid… · keylime/keylime@95ce3d8 · GitHubPatch
-
https://access.redhat.com/errata/RHSA-2024:1139
RHSA-2024:1139 - Security Advisory - Red Hat Customer Portal
-
https://access.redhat.com/security/cve/CVE-2023-3674
CVE-2023-3674- Red Hat Customer PortalThird Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=2222903
2222903 – (CVE-2023-3674) CVE-2023-3674 keylime: Attestation failure when the quote's signature does not validateIssue Tracking;Patch;Third Party Advisory
Jump to