Security Advisory: CVE-2021-3406 -> suggestions
Is there a way to comment on this in github? I could not find a way other than starting a new issue.
Hello Keylime Community,
A security issue was discovered in the Keylime agent and registrar
that breaks the cryptographic chain of trust from the Endorsement Key
certificate to agent attestations.
This means that when a TPM 2 is in use on the agent, there is no way
to know whether the quotes are produced by a valid TPM.
This issue has been assigned CVE-2021-3406
All versions after Keylime v3.0.0
How do I mitigate this vulnerability?
ACTION REQUIRED: Upgrade to 6.0.0
Prior to upgrading, this vulnerability can be mitigated by not using
TPM 2 on the agent.
Shutdown the verifier, registrar and all agents.
Perform upgrade to version 6.0.0 (database migration is included in the release)
Start up all services, registrar, agent and verifier
Update the agents using the keylime_tenant command `-c update`
Further notes: The 6.0.0 release also introduces the deprecation of
TPM 1.2 and the deep quote function, as per issues #526 and #530
This vulnerability was reported and fixed by Keylime team member
Keylime (Project Lead)
toggle quoted messageShow quoted text
You can see more details from Patrick about the flaw and the fix used here: https://patrick.uiterwijk.org/blog/tpm2-attestation-keylime-vulnerability and yes it's mostly "don't send redundant data" :)
On Wed, Feb 24, 2021 at 9:50 AM Kenneth Goldman <kgoldman@...> wrote: