SB2022012791 - Multiple vulnerabilities in keylime

Description

This security bulletin contains information about 6 vulnerabilities.

1) Incorrect permission assignment for critical resource (CVE-ID: CVE-2022-23952)

The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to improper access control in keylime.conf when the file is installed with world-readable permissions. A local user can read the configuration file to disclose sensitive information.

2) Improper handling of highly compressed data (CVE-ID: CVE-2022-23951)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper handling of compressed data in quote responses when processing possibly untrusted ZIP data from the agent. A remote attacker can provide a crafted quote response containing zip bomb data to cause a denial of service.

3) Improper access control (CVE-ID: CVE-2022-23950)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper access control in the revocation notifier UNIX domain socket when using a fixed /tmp socket path. A local user can create or interfere with the socket path to cause a denial of service.

4) Improper Output Neutralization for Logs (CVE-ID: CVE-2022-23949)

The vulnerability allows a remote attacker to spoof log entries.

The vulnerability exists due to improper neutralization of special elements used in a log in verifier and registrar logging when processing agent-supplied UUIDs. A remote attacker can supply a crafted UUID to spoof log entries.

The issue can be triggered by a rogue agent.

5) Improper access control (CVE-ID: CVE-2022-23948)

The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to improper access control in the secure mount check logic in the Keylime agent when checking for a secure mount. A local user can create a previously mounted unprivileged mount to disclose sensitive information.

The issue can allow secrets to be leaked to other processes on the host.

6) Authentication Bypass by Spoofing (CVE-ID: CVE-2021-43310)

The vulnerability allows a remote attacker to reset or replay encryption keys and payload data.

The vulnerability exists due to authentication bypass by spoofing in the Keylime agent when handling crafted key reset or replay requests. A remote attacker can send a specially crafted request or replay captured U and V keys and payload data to reset or replay encryption keys and payload data.

Depending on how the client is configured, new revocation and attestation actions may be added, which could lead to remote code execution.

Remediation

Install update from vendor's website.

References

• https://github.com/keylime/keylime/security/advisories/GHSA-fchm-5w2v-qfm8
• https://github.com/keylime/keylime/security/advisories/GHSA-6xx7-m45w-76m2
• https://github.com/keylime/keylime/security/advisories/GHSA-9r9r-f8xc-m875
• https://github.com/keylime/keylime/security/advisories/GHSA-87gh-qc28-j9mm
• https://github.com/keylime/keylime/security/advisories/GHSA-wj36-qcfg-5j52
• https://github.com/keylime/keylime/security/advisories/GHSA-2m39-75g9-ff5r