Error Handling in keylime - CVE-2022-3500

 

Error Handling in keylime - CVE-2022-3500

Published: November 15, 2022


Vulnerability identifier: #VU69339
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-3500
CWE-ID: CWE-388
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Keylime
Affected software:
keylime

Detailed vulnerability description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper error handling when treating system level failures, such as network driver crash, causing the verifier component to quit and not recover. The verifier's state machine remains in "verified" state and the associated database is no longer updated for this agent.


How to mitigate CVE-2022-3500

Install updates from vendor's website.

Sources