CVE-2023-43631 (GCVE-0-2023-43631)
Vulnerability from cvelistv5 – Published: 2023-09-21 13:17 – Updated: 2024-09-24 17:41
VLAI?
Summary
On boot, the Pillar eve container checks for the existence and content of
“/config/authorized_keys”.
If the file is present, and contains a supported public key, the container will go on to open
port 22 and enable sshd with the given keys as the authorized keys for root login.
An attacker could easily add their own keys and gain full control over the system without
triggering the “measured boot” mechanism implemented by EVE OS, and without marking
the device as “UUD” (“Unknown Update Detected”).
This is because the “/config” partition is not protected by “measured boot”, it is mutable, and
it is not encrypted in any way.
An attacker can gain full control over the device without changing the PCR values, thus not
triggering the “measured boot” mechanism, and having full access to the vault.
Note:
This issue was partially fixed in these commits (after disclosure to Zededa), where the config
partition measurement was added to PCR13:
• aa3501d6c57206ced222c33aea15a9169d629141
• 5fef4d92e75838cc78010edaed5247dfbdae1889.
This issue was made viable in version 9.0.0 when the calculation was moved to PCR14 but it was not included in the measured boot.
Severity ?
8.8 (High)
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| LF-Edge, Zededa | EVE OS |
Affected:
0 , < 8.6.0
(release)
Affected: 9.0.0 , < 9.5.0 (release) |
Credits
Ilay Levi
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:44:43.700Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://asrg.io/security-advisories/cve-2023-43631/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:o:linuxfoundation:edge_virtualization_engine:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "edge_virtualization_engine",
"vendor": "linuxfoundation",
"versions": [
{
"lessThan": "8.6.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "9.5.0",
"status": "affected",
"version": "9.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-43631",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-24T17:19:48.322052Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-24T17:41:19.204Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "EVE OS",
"product": "EVE OS",
"programFiles": [
"https://github.com/lf-edge/eve/tree/master/pkg/pillar/evetpm/tpm.go",
"https://github.com/lf-edge/eve/tree/master/pkg/grub/rootfs.cfg"
],
"repo": "https://github.com/lf-edge/eve",
"vendor": " LF-Edge, Zededa",
"versions": [
{
"lessThan": "8.6.0",
"status": "affected",
"version": "0",
"versionType": "release"
},
{
"lessThan": "9.5.0",
"status": "affected",
"version": "9.0.0",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Ilay Levi"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\nOn boot, the Pillar eve container checks for the existence and content of\n\u201c/config/authorized_keys\u201d.\n\u003cbr\u003eIf the file is present, and contains a supported public key, the container will go on to open\nport 22 and enable sshd with the given keys as the authorized keys for root login.\n\u003cbr\u003eAn attacker could easily add their own keys and gain full control over the system without\ntriggering the \u201cmeasured boot\u201d mechanism implemented by EVE OS, and without marking\nthe device as \u201cUUD\u201d (\u201cUnknown Update Detected\u201d).\n\u003cbr\u003eThis is because the \u201c/config\u201d partition is not protected by \u201cmeasured boot\u201d, it is mutable, and\nit is not encrypted in any way.\n\u003cbr\u003e\u003cbr\u003e\n\nAn attacker can gain full control over the device without changing the PCR values, thus not\ntriggering the \u201cmeasured boot\u201d mechanism, and having full access to the vault.\n\n\u003cbr\u003e\u003cbr\u003eNote:\n\u003cbr\u003eThis issue was partially fixed in these commits (after disclosure to Zededa), where the config\npartition measurement was added to PCR13:\n\u003cbr\u003e\u2022 aa3501d6c57206ced222c33aea15a9169d629141\n\u003cbr\u003e\u2022 5fef4d92e75838cc78010edaed5247dfbdae1889.\n\u003cbr\u003eThis issue was made viable in version 9.0.0 when the calculation was moved to PCR14 but it was not included in the measured boot."
}
],
"value": "\nOn boot, the Pillar eve container checks for the existence and content of\n\u201c/config/authorized_keys\u201d.\n\nIf the file is present, and contains a supported public key, the container will go on to open\nport 22 and enable sshd with the given keys as the authorized keys for root login.\n\nAn attacker could easily add their own keys and gain full control over the system without\ntriggering the \u201cmeasured boot\u201d mechanism implemented by EVE OS, and without marking\nthe device as \u201cUUD\u201d (\u201cUnknown Update Detected\u201d).\n\nThis is because the \u201c/config\u201d partition is not protected by \u201cmeasured boot\u201d, it is mutable, and\nit is not encrypted in any way.\n\n\n\n\nAn attacker can gain full control over the device without changing the PCR values, thus not\ntriggering the \u201cmeasured boot\u201d mechanism, and having full access to the vault.\n\n\n\nNote:\n\nThis issue was partially fixed in these commits (after disclosure to Zededa), where the config\npartition measurement was added to PCR13:\n\n\u2022 aa3501d6c57206ced222c33aea15a9169d629141\n\n\u2022 5fef4d92e75838cc78010edaed5247dfbdae1889.\n\nThis issue was made viable in version 9.0.0 when the calculation was moved to PCR14 but it was not included in the measured boot."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522 Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-922",
"description": "CWE-922 Insecure Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-28T05:40:00.086Z",
"orgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba",
"shortName": "ASRG"
},
"references": [
{
"url": "https://asrg.io/security-advisories/cve-2023-43631/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SSH as Root Unlockable Without Triggering Measured Boot",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba",
"assignerShortName": "ASRG",
"cveId": "CVE-2023-43631",
"datePublished": "2023-09-21T13:17:00.528Z",
"dateReserved": "2023-09-20T14:34:14.874Z",
"dateUpdated": "2024-09-24T17:41:19.204Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linuxfoundation:edge_virtualization_engine:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"8.6.0\", \"matchCriteriaId\": \"A569C358-B746-494B-A5EE-15D38BD74AB2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:linuxfoundation:edge_virtualization_engine:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"9.0.0\", \"versionEndExcluding\": \"9.5.0\", \"matchCriteriaId\": \"D19A1245-092C-478C-BB01-23F91A227B3F\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"\\nOn boot, the Pillar eve container checks for the existence and content of\\n\\u201c/config/authorized_keys\\u201d.\\n\\nIf the file is present, and contains a supported public key, the container will go on to open\\nport 22 and enable sshd with the given keys as the authorized keys for root login.\\n\\nAn attacker could easily add their own keys and gain full control over the system without\\ntriggering the \\u201cmeasured boot\\u201d mechanism implemented by EVE OS, and without marking\\nthe device as \\u201cUUD\\u201d (\\u201cUnknown Update Detected\\u201d).\\n\\nThis is because the \\u201c/config\\u201d partition is not protected by \\u201cmeasured boot\\u201d, it is mutable, and\\nit is not encrypted in any way.\\n\\n\\n\\n\\nAn attacker can gain full control over the device without changing the PCR values, thus not\\ntriggering the \\u201cmeasured boot\\u201d mechanism, and having full access to the vault.\\n\\n\\n\\nNote:\\n\\nThis issue was partially fixed in these commits (after disclosure to Zededa), where the config\\npartition measurement was added to PCR13:\\n\\n\\u2022 aa3501d6c57206ced222c33aea15a9169d629141\\n\\n\\u2022 5fef4d92e75838cc78010edaed5247dfbdae1889.\\n\\nThis issue was made viable in version 9.0.0 when the calculation was moved to PCR14 but it was not included in the measured boot.\"}, {\"lang\": \"es\", \"value\": \"Al arrancar, el contenedor Pillar eve comprueba la existencia y el contenido de \\u201c/config/authorized_keys\\u201d. Si el archivo est\\u00e1 presente y contiene una clave p\\u00fablica compatible, el contenedor abrir\\u00e1 el puerto 22 y habilitar\\u00e1 sshd con las claves proporcionadas como claves autorizadas para el inicio de sesi\\u00f3n de root. Un atacante podr\\u00eda agregar f\\u00e1cilmente sus propias claves y obtener control total sobre el sistema sin activar el mecanismo de \\\"\\\"measured boot\\\"\\\" implementado por EVE OS y sin marcar el dispositivo como \\\"\\\"UUD\\\"\\\" (\\\"\\\"Actualizaci\\u00f3n Desconocida Detectada\\\"\\\"). Esto se debe a que la partici\\u00f3n \\u201c/config\\u201d no est\\u00e1 protegida por \\u201cmeasured boot\\u201d, es mutable y no est\\u00e1 cifrada de ninguna manera. Un atacante puede obtener control total sobre el dispositivo sin cambiar los valores de PCR, por lo que no activar\\u00e1 el mecanismo de \\\"\\\"measured boot\\\"\\\" y tendr\\u00e1 acceso completo a \\\"\\\"vault\\\"\\\". Nota: Este problema se solucion\\u00f3 parcialmente en estos commits (despu\\u00e9s de la divulgaci\\u00f3n a Zededa), donde la medici\\u00f3n de la partici\\u00f3n de configuraci\\u00f3n se agreg\\u00f3 a PCR13:\\n\\u2022 aa3501d6c57206ced222c33aea15a9169d629141 \\n\\u2022 5fef4d92e75838cc78010edaed5247dfbdae1889. \\nEste problema se hizo viable en la versi\\u00f3n 9.0.0 cuando el c\\u00e1lculo se traslad\\u00f3 a PCR14, pero no se incluy\\u00f3 en el \\\"\\\"measured boot\\\"\\\".\"}]",
"id": "CVE-2023-43631",
"lastModified": "2024-11-21T08:24:30.343",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"cve@asrg.io\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.0, \"impactScore\": 6.0}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.0, \"impactScore\": 6.0}]}",
"published": "2023-09-21T14:15:10.870",
"references": "[{\"url\": \"https://asrg.io/security-advisories/cve-2023-43631/\", \"source\": \"cve@asrg.io\"}, {\"url\": \"https://asrg.io/security-advisories/cve-2023-43631/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "cve@asrg.io",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"cve@asrg.io\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-522\"}, {\"lang\": \"en\", \"value\": \"CWE-922\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-522\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2023-43631\",\"sourceIdentifier\":\"cve@asrg.io\",\"published\":\"2023-09-21T14:15:10.870\",\"lastModified\":\"2024-11-21T08:24:30.343\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"\\nOn boot, the Pillar eve container checks for the existence and content of\\n\u201c/config/authorized_keys\u201d.\\n\\nIf the file is present, and contains a supported public key, the container will go on to open\\nport 22 and enable sshd with the given keys as the authorized keys for root login.\\n\\nAn attacker could easily add their own keys and gain full control over the system without\\ntriggering the \u201cmeasured boot\u201d mechanism implemented by EVE OS, and without marking\\nthe device as \u201cUUD\u201d (\u201cUnknown Update Detected\u201d).\\n\\nThis is because the \u201c/config\u201d partition is not protected by \u201cmeasured boot\u201d, it is mutable, and\\nit is not encrypted in any way.\\n\\n\\n\\n\\nAn attacker can gain full control over the device without changing the PCR values, thus not\\ntriggering the \u201cmeasured boot\u201d mechanism, and having full access to the vault.\\n\\n\\n\\nNote:\\n\\nThis issue was partially fixed in these commits (after disclosure to Zededa), where the config\\npartition measurement was added to PCR13:\\n\\n\u2022 aa3501d6c57206ced222c33aea15a9169d629141\\n\\n\u2022 5fef4d92e75838cc78010edaed5247dfbdae1889.\\n\\nThis issue was made viable in version 9.0.0 when the calculation was moved to PCR14 but it was not included in the measured boot.\"},{\"lang\":\"es\",\"value\":\"Al arrancar, el contenedor Pillar eve comprueba la existencia y el contenido de \u201c/config/authorized_keys\u201d. Si el archivo est\u00e1 presente y contiene una clave p\u00fablica compatible, el contenedor abrir\u00e1 el puerto 22 y habilitar\u00e1 sshd con las claves proporcionadas como claves autorizadas para el inicio de sesi\u00f3n de root. Un atacante podr\u00eda agregar f\u00e1cilmente sus propias claves y obtener control total sobre el sistema sin activar el mecanismo de \\\"\\\"measured boot\\\"\\\" implementado por EVE OS y sin marcar el dispositivo como \\\"\\\"UUD\\\"\\\" (\\\"\\\"Actualizaci\u00f3n Desconocida Detectada\\\"\\\"). Esto se debe a que la partici\u00f3n \u201c/config\u201d no est\u00e1 protegida por \u201cmeasured boot\u201d, es mutable y no est\u00e1 cifrada de ninguna manera. Un atacante puede obtener control total sobre el dispositivo sin cambiar los valores de PCR, por lo que no activar\u00e1 el mecanismo de \\\"\\\"measured boot\\\"\\\" y tendr\u00e1 acceso completo a \\\"\\\"vault\\\"\\\". Nota: Este problema se solucion\u00f3 parcialmente en estos commits (despu\u00e9s de la divulgaci\u00f3n a Zededa), donde la medici\u00f3n de la partici\u00f3n de configuraci\u00f3n se agreg\u00f3 a PCR13:\\n\u2022 aa3501d6c57206ced222c33aea15a9169d629141 \\n\u2022 5fef4d92e75838cc78010edaed5247dfbdae1889. \\nEste problema se hizo viable en la versi\u00f3n 9.0.0 cuando el c\u00e1lculo se traslad\u00f3 a PCR14, pero no se incluy\u00f3 en el \\\"\\\"measured boot\\\"\\\".\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cve@asrg.io\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.0,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.0,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"cve@asrg.io\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-522\"},{\"lang\":\"en\",\"value\":\"CWE-922\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-522\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linuxfoundation:edge_virtualization_engine:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"8.6.0\",\"matchCriteriaId\":\"A569C358-B746-494B-A5EE-15D38BD74AB2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linuxfoundation:edge_virtualization_engine:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.0.0\",\"versionEndExcluding\":\"9.5.0\",\"matchCriteriaId\":\"D19A1245-092C-478C-BB01-23F91A227B3F\"}]}]}],\"references\":[{\"url\":\"https://asrg.io/security-advisories/cve-2023-43631/\",\"source\":\"cve@asrg.io\"},{\"url\":\"https://asrg.io/security-advisories/cve-2023-43631/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://asrg.io/security-advisories/cve-2023-43631/\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T19:44:43.700Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-43631\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-24T17:19:48.322052Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:o:linuxfoundation:edge_virtualization_engine:*:*:*:*:*:*:*:*\"], \"vendor\": \"linuxfoundation\", \"product\": \"edge_virtualization_engine\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"8.6.0\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"9.0.0\", \"lessThan\": \"9.5.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-24T17:41:10.995Z\"}}], \"cna\": {\"title\": \"SSH as Root Unlockable Without Triggering Measured Boot\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"user\": \"00000000-0000-4000-9000-000000000000\", \"value\": \"Ilay Levi\"}], \"impacts\": [{\"capecId\": \"CAPEC-115\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-115 Authentication Bypass\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/lf-edge/eve\", \"vendor\": \" LF-Edge, Zededa\", \"product\": \"EVE OS\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"8.6.0\", \"versionType\": \"release\"}, {\"status\": \"affected\", \"version\": \"9.0.0\", \"lessThan\": \"9.5.0\", \"versionType\": \"release\"}], \"packageName\": \"EVE OS\", \"programFiles\": [\"https://github.com/lf-edge/eve/tree/master/pkg/pillar/evetpm/tpm.go\", \"https://github.com/lf-edge/eve/tree/master/pkg/grub/rootfs.cfg\"], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://asrg.io/security-advisories/cve-2023-43631/\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"\\nOn boot, the Pillar eve container checks for the existence and content of\\n\\u201c/config/authorized_keys\\u201d.\\n\\nIf the file is present, and contains a supported public key, the container will go on to open\\nport 22 and enable sshd with the given keys as the authorized keys for root login.\\n\\nAn attacker could easily add their own keys and gain full control over the system without\\ntriggering the \\u201cmeasured boot\\u201d mechanism implemented by EVE OS, and without marking\\nthe device as \\u201cUUD\\u201d (\\u201cUnknown Update Detected\\u201d).\\n\\nThis is because the \\u201c/config\\u201d partition is not protected by \\u201cmeasured boot\\u201d, it is mutable, and\\nit is not encrypted in any way.\\n\\n\\n\\n\\nAn attacker can gain full control over the device without changing the PCR values, thus not\\ntriggering the \\u201cmeasured boot\\u201d mechanism, and having full access to the vault.\\n\\n\\n\\nNote:\\n\\nThis issue was partially fixed in these commits (after disclosure to Zededa), where the config\\npartition measurement was added to PCR13:\\n\\n\\u2022 aa3501d6c57206ced222c33aea15a9169d629141\\n\\n\\u2022 5fef4d92e75838cc78010edaed5247dfbdae1889.\\n\\nThis issue was made viable in version 9.0.0 when the calculation was moved to PCR14 but it was not included in the measured boot.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\\n\\nOn boot, the Pillar eve container checks for the existence and content of\\n\\u201c/config/authorized_keys\\u201d.\\n\u003cbr\u003eIf the file is present, and contains a supported public key, the container will go on to open\\nport 22 and enable sshd with the given keys as the authorized keys for root login.\\n\u003cbr\u003eAn attacker could easily add their own keys and gain full control over the system without\\ntriggering the \\u201cmeasured boot\\u201d mechanism implemented by EVE OS, and without marking\\nthe device as \\u201cUUD\\u201d (\\u201cUnknown Update Detected\\u201d).\\n\u003cbr\u003eThis is because the \\u201c/config\\u201d partition is not protected by \\u201cmeasured boot\\u201d, it is mutable, and\\nit is not encrypted in any way.\\n\u003cbr\u003e\u003cbr\u003e\\n\\nAn attacker can gain full control over the device without changing the PCR values, thus not\\ntriggering the \\u201cmeasured boot\\u201d mechanism, and having full access to the vault.\\n\\n\u003cbr\u003e\u003cbr\u003eNote:\\n\u003cbr\u003eThis issue was partially fixed in these commits (after disclosure to Zededa), where the config\\npartition measurement was added to PCR13:\\n\u003cbr\u003e\\u2022 aa3501d6c57206ced222c33aea15a9169d629141\\n\u003cbr\u003e\\u2022 5fef4d92e75838cc78010edaed5247dfbdae1889.\\n\u003cbr\u003eThis issue was made viable in version 9.0.0 when the calculation was moved to PCR14 but it was not included in the measured boot.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-522\", \"description\": \"CWE-522 Insufficiently Protected Credentials\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-922\", \"description\": \"CWE-922 Insecure Storage of Sensitive Information\"}]}], \"providerMetadata\": {\"orgId\": \"c15abc07-96a9-4d11-a503-5d621bfe42ba\", \"shortName\": \"ASRG\", \"dateUpdated\": \"2023-09-28T05:40:00.086Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2023-43631\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-24T17:41:19.204Z\", \"dateReserved\": \"2023-09-20T14:34:14.874Z\", \"assignerOrgId\": \"c15abc07-96a9-4d11-a503-5d621bfe42ba\", \"datePublished\": \"2023-09-21T13:17:00.528Z\", \"assignerShortName\": \"ASRG\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…