Main Vulnerability Database SB2021042655

SB2021042655 - Fedora 33 update for libtpms

Published: April 26, 2021

Security Bulletin ID SB2021042655

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Local access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Insufficient Entropy (CVE-ID: CVE-2021-3505)

CWE-ID: CWE-331 - Insufficient Entropy

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to decrypt data.

The vulnerability exists in the TPM 2 implementation, which returns 2048 bit keys with ~1984 bit strength due to a bug in the TCG specification. The bug is in the key creation algorithm in RsaAdjustPrimeCandidate(), which is called before the prime number check.

Remediation

Install update from vendor's website.

References

https://bodhi.fedoraproject.org/updates/FEDORA-2021-cfdc434610