SB2024083059 - Fedora 40 update for tpm2-tools, tpm2-tss

Security Bulletin ID SB2024083059

Severity

Low

Patch available

YES

Number of vulnerabilities 3

Exploitation vector Local access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Insufficient verification of data authenticity (CVE-ID: CVE-2024-29040)

The vulnerability allows a local user to bypass implemented security restrictions.

The vulnerability exists due to missing checks for the magic number. A local user can generate arbitrary quote data, which may not be detected by Fapi_VerifyQuote.

2) Mutable Attestation or Measurement Reporting Data (CVE-ID: CVE-2024-29038)

The vulnerability allows a local user to bypass implemented security restrictions.

The vulnerability exists due to improper input validation. A local user can generate arbitrary quote data which is not detected by tpm2 checkquote and gain access to sensitive information.

3) Reliance on Untrusted Inputs in a Security Decision (CVE-ID: CVE-2024-29039)

The vulnerability allows a local user to manipulate the TMP state.

The vulnerability exists due to insufficient validation of PCR input. A local user can alter TPML_PCR_SELECTION and manipulate the TMP state.

Remediation

Install update from vendor's website.

References

https://bodhi.fedoraproject.org/updates/FEDORA-2024-0c9d3b51d4

SB2024083059 - Fedora 40 update for tpm2-tools, tpm2-tss

Breakdown by Severity

Description

Remediation

References

Please verify you're human