GHSA-99CG-575X-774P

Vulnerability from github – Published: 2022-02-01 00:43 – Updated: 2023-08-29 20:29
VLAI?
Summary
Go-Attestation Improper Input Validation with attacker-controlled TPM Quote
Details

Impact

An improper input validation vulnerability in go-attestation before 0.4.0 allows local users to provide a maliciously-formed Quote over no/some PCRs, causing AKPublic.Verify to succeed despite the inconsistency. Subsequent use of the same set of PCR values in Eventlog.Verify lacks the authentication performed by quote verification, meaning a local attacker could couple this vulnerability with a maliciously-crafted TCG log in Eventlog.Verify to spoof events in the TCG log, hence defeating remotely-attested measured-boot.

Patches

This issue is resolved in version 0.4.0. If your usage of this library verifies PCRs using multiple quotes, make sure to use the new method AKPublic.VerifyAll() instead of AKPublic.Verify.

Severity ?
4.0 (Medium)
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/google/go-attestation"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-0317"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-31T22:15:30Z",
    "nvd_published_at": "2022-02-04T23:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nAn improper input validation vulnerability in go-attestation before 0.4.0 allows local users to provide a maliciously-formed Quote over no/some PCRs, causing `AKPublic.Verify` to succeed despite the inconsistency. Subsequent use of the same set of PCR values in `Eventlog.Verify` lacks the authentication performed by quote verification, meaning a local attacker could couple this vulnerability with a maliciously-crafted TCG log in `Eventlog.Verify` to spoof events in the TCG log, hence defeating remotely-attested measured-boot.\n\n### Patches\nThis issue is resolved in version 0.4.0. If your usage of this library verifies PCRs using multiple quotes, make sure to use the new method `AKPublic.VerifyAll()` instead of `AKPublic.Verify`.",
  "id": "GHSA-99cg-575x-774p",
  "modified": "2023-08-29T20:29:19Z",
  "published": "2022-02-01T00:43:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/google/go-attestation/security/advisories/GHSA-99cg-575x-774p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0317"
    },
    {
      "type": "WEB",
      "url": "https://github.com/google/go-attestation/commit/82f2c9c2c76e1d3691d17ee78116d1d93a123788"
    },
    {
      "type": "WEB",
      "url": "https://github.com/google/go-attestation"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2022-0294"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Go-Attestation Improper Input Validation with attacker-controlled TPM Quote"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.