An improper input validation vulnerability in go-attestation before 0.3.3 allows local users to provide a maliciously-formed Quote over no/some PCRs, causing AKPublic.Verify to succeed despite the inconsistency. Subsequent use of the same set of PCR values in Eventlog.Verify lacks the authentication performed by quote verification, meaning a local attacker could couple this vulnerability with a maliciously-crafted TCG log in Eventlog.Verify to spoof events in the TCG log, hence defeating remotely-attested measured-boot. We recommend upgrading to Version 0.4.0 or above.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: Google
Published: 2022-02-04T22:33:03.136609Z
Updated: 2024-09-16T16:43:20.808Z
Reserved: 2022-01-20T00:00:00
Link: CVE-2022-0317
Vulnrichment
No data.
NVD
Status : Analyzed
Published: 2022-02-04T23:15:12.510
Modified: 2022-02-09T18:14:02.887
Link: CVE-2022-0317
Redhat
No data.