Main Vulnerability Database SB2021022438

SB2021022438 - Improper Verification of Cryptographic Signature in keylime

Published: February 24, 2021 Updated: May 7, 2026

Security Bulletin ID SB2021022438

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2021-3406)

The vulnerability allows a remote attacker to bypass the cryptographic chain of trust for agent attestation.

The vulnerability exists due to improper verification in the Keylime agent and registrar code when processing endorsement and attestation key data during registration and credential protection. A remote attacker can provide mismatched key material and TPM-related values to bypass the cryptographic chain of trust for agent attestation.

The issue includes missing checks that the ek_tpm public key matches ek or ekcert, missing validation between pub_aik and aik_name, and missing validation of attestation key object attributes.

Remediation

Install update from vendor's website.

References

https://github.com/keylime/keylime/security/advisories/GHSA-78f8-6c68-375m