N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-r2h5-3hgw-8j34

GHSA-r2h5-3hgw-8j34: User data in TPM attestation vulnerable to MITM

Impact

Attestation user data (such as the digest of the public key in an aTLS connection) was bound to the issuer's TPM, but not to its PCR state. An attacker could intercept a node initialization, initialize the node themselves, and then impersonate an uninitialized node to the validator. In practice, this meant that a CSP insider with sufficient privileges would have been able to join a node under their control to a Constellation cluster.

Patches

The issue has been patched in v2.5.2.

Workarounds

none

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-r2h5-3hgw-8j34

GHSA-r2h5-3hgw-8j34:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/edgelesssys/constellation/v2	go	<= 2.5.1	2.5.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing PCR state binding in TPM-based attestation. The aTLS implementation's user data binding and validation() functions would be directly responsible for including/verifying PCR measurements. The MITM attack vector suggests both generation (node initialization) and verification (validator) components were affected. While exact function names aren't provided, TPM attestation workflows typically involve distinct functions for creating attestation documents and validating() them, which aligns with the described attack scenario.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-r2h5-3hgw-8j34: User data in TPM attestation vulnerable to MITM

Impact

Patches

Workarounds

GHSA-r2h5-3hgw-8j34:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

GHSA-r2h5-3hgw-8j34: User data in TPM attestation vulnerable to MITM

Impact

Patches

Workarounds

N/A

N/A

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI