CVE-2021-3406

A flaw was found in keylime 5.8.1 and older. The issue in the Keylime agent and registrar code invalidates the cryptographic chain of trust from the Endorsement Key certificate to agent attestations.

Weakness

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

Affected Software

Name	Vendor	Start Version	End Version
Keylime	Keylime	*	5.8.1 (including)

https://cwe.mitre.org/data/definitions/463.html
https://cwe.mitre.org/data/definitions/475.html

References

https://bugzilla.redhat.com/show_bug.cgi?id=1932469
https://github.com/keylime/keylime/security/advisories/GHSA-78f8-6c68-375m
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YAWKEF2LVXUME266T6RNRVBGAD375QAT/
https://bugzilla.redhat.com/show_bug.cgi?id=1932469
https://github.com/keylime/keylime/security/advisories/GHSA-78f8-6c68-375m
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YAWKEF2LVXUME266T6RNRVBGAD375QAT/

NVD	https://nvd.nist.gov/vuln/detail/CVE-2021-3406
CWE	https://cwe.mitre.org/data/definitions/347.html

Improper Verification of Cryptographic Signature

Weakness

Affected Software

Related Attack Patterns

References