Bugzilla – Bug 1194005
VUL-0: CVE-2022-23952: keylime: World-Readable keylime.conf Contains Potentially Sensitive Data
Last modified: 2022-02-18 09:53:14 UTC
This bug is to keep track of keylime review report item 5.a:
### a) World-Readable keylime.conf Contains Potentially Sensitive Data
The configuration `/etc/keylime.conf` is installed world-readable:
$ ls -l /etc/keylime.conf
-rw-r--r-- 1 root root 26770 Dec 16 14:54 /etc/keylime.conf
This is the case for installations performed manually via the provided
`installer.sh` script as well as for the RPM packaging found in both openSUSE
Tumbleweed and Fedora 35 Linux distributions. Further distributions might be
`keylime.conf` contains a lot of information, some of it sensitive like the
TPM ownership password (`tpm_ownerpassword`), TLS certificate private key
passwords (`private_key_pw`, `registrar_private_key_pw`) or the database
password for the registrar (`database_password`). Thus this is a local
information leak, because arbitrary local users can obtain these passwords
from the configuration file.
NOTE: Alberto (in CC), our SUSE packager, already fixed the permission of the
file for openSUSE Tumbleweed in the meantime.
My recommendation is to make this file only accessible to _root_ and adjust
all installation routines and possibly documentation. Affected distributors
should be notified about this. The Keylime code could perform a sanity check
of the permissions of the configuration file before reading it in.
Upstream has confirmed the issue and has assigned CVE-2022-23952.
the issue is public now via the following security advisory:
Fixed in version 6.3.0 and both SLE-15-SP4 and Factory are updated.