CVE-2023-3674:
keylime fails to flag device as untrusted when signature does not validate
2.3
CVSS ScoreBasic Information
CVE ID
GHSA ID
EPSS Score
-
CWE
Published
7/19/2023
Updated
9/24/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
keylime | pip | < 7.2.5 | 7.2.5 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from error handling in the checkquote function. The commit diff shows the removal of a try-except block that previously caught cryptography.exceptions.InvalidSignature and only logged an error. In the patched version, verify() is called without exception swallowing, allowing signature validation failures to propagate as exceptions that would trigger proper untrusted device handling. The associated test changes in tpm_util_test.py confirm this was the vulnerable area by adding tests that expect exceptions for invalid signatures.