Improper Verification of Cryptographic Signature in keylime - CVE-2021-3406

 

Improper Verification of Cryptographic Signature in keylime - CVE-2021-3406

Published: February 24, 2021 / Updated: May 7, 2026


Vulnerability identifier: #VU130490
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-3406
CWE-ID: CWE-347
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Keylime
Affected software:
keylime

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass the cryptographic chain of trust for agent attestation.

The vulnerability exists due to improper verification in the Keylime agent and registrar code when processing endorsement and attestation key data during registration and credential protection. A remote attacker can provide mismatched key material and TPM-related values to bypass the cryptographic chain of trust for agent attestation.

The issue includes missing checks that the ek_tpm public key matches ek or ekcert, missing validation between pub_aik and aik_name, and missing validation of attestation key object attributes.


How to mitigate CVE-2021-3406

Install security update from vendor's website.

Sources