Main Vulnerability Database Vulnerabilities #VU54501

#VU54501 Use of a broken or risky cryptographic algorithm in libtpms - CVE-2021-3446

Published: July 1, 2021

Vulnerability identifier: #VU54501

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2021-3446

CWE-ID: CWE-327

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
libtpms

Software vendor:
Stefan Berger

Description

The vulnerability allows a remote attacker to decrypt data.

The vulnerability exists in libtpms due to integration with OpenSSL, which contained a vulnerability related to the returned IV (initialization vector) when certain symmetric ciphers were used. Instead of returning the last IV it returned the initial IV to the caller, thus weakening the subsequent encryption and decryption steps.

Remediation

Install updates from vendor's website.

External links

https://bugzilla.redhat.com/show_bug.cgi?id=1939664

#VU54501 Use of a broken or risky cryptographic algorithm in libtpms - CVE-2021-3446

Description

Remediation

External links

Please verify you're human