Main Vulnerability Database Vulnerabilities #VU130482

Improper access control in keylime - CVE-2022-1053

Published: May 4, 2022 / Updated: May 7, 2026

Vulnerability identifier: #VU130482

CSH Severity: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2022-1053

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
keylime

Software vendor:
Keylime

Description

The vulnerability allows a remote attacker to bypass TPM-based attestation validation.

The vulnerability exists due to improper access control in registrar data handling when validating the EK and identity quote and validating the integrity quote. A remote attacker can provide mismatched AK and EK data to bypass TPM-based attestation validation.

The issue can break the chain of trust because the verifier may use an AK that was not validated, and exploitation is easier when validation occurs before the agent is added to the verifier.

Remediation

Install security update from vendor's website.

External links

https://github.com/keylime/keylime/security/advisories/GHSA-jf66-3q76-h5p5

Improper access control in keylime - CVE-2022-1053

Description

Remediation

External links

Please verify you're human