Miggo Logo

CVE-2023-3674:
keylime fails to flag device as untrusted when signature does not validate

2.3

CVSS Score

Basic Information

EPSS Score
-
Published
7/19/2023
Updated
9/24/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
keylimepip< 7.2.57.2.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from error handling in the checkquote function. The commit diff shows the removal of a try-except block that previously caught cryptography.exceptions.InvalidSignature and only logged an error. In the patched version, verify() is called without exception swallowing, allowing signature validation failures to propagate as exceptions that would trigger proper untrusted device handling. The associated test changes in tpm_util_test.py confirm this was the vulnerable area by adding tests that expect exceptions for invalid signatures.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *l*w w*s *oun* in t** k*ylim* *tt*st*tion v*ri*i*r, w*i** **ils to *l** * **vi**'s su*mitt** TPM quot* *s **ulty w**n t** quot*'s si*n*tur* *o*s not v*li**t* *or som* r**son. Inst***, it will only *mit *n *rror in t** lo* wit*out *l***in* t** **vi*

Reasoning

T** vuln*r**ility st*ms *rom *rror **n*lin* in t** ****kquot* *un*tion. T** *ommit *i** s*ows t** r*mov*l o* * try-*x**pt *lo*k t**t pr*viously **u**t *rypto*r*p*y.*x**ptions.Inv*li*Si*n*tur* *n* only lo**** *n *rror. In t** p*t**** v*rsion, v*ri*y()