Improper Verification of Cryptographic Signature in keylime - CVE-2021-3406
Published: February 24, 2021 / Updated: May 7, 2026
Vulnerability identifier: #VU130490
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-3406
CWE-ID: CWE-347
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
keylime
keylime
Software vendor:
Keylime
Keylime
Description
The vulnerability allows a remote attacker to bypass the cryptographic chain of trust for agent attestation.
The vulnerability exists due to improper verification in the Keylime agent and registrar code when processing endorsement and attestation key data during registration and credential protection. A remote attacker can provide mismatched key material and TPM-related values to bypass the cryptographic chain of trust for agent attestation.
The issue includes missing checks that the ek_tpm public key matches ek or ekcert, missing validation between pub_aik and aik_name, and missing validation of attestation key object attributes.
Remediation
Install security update from vendor's website.