Bugzilla – Bug 1204782
VUL-0: CVE-2022-3500: keylime: a node can seems as attested when in reality it is not properly attested
Last modified: 2022-11-23 20:23:42 UTC
CVE-2022-3500 This vulnerability creates a false sense of security for keylime users -- i.e. a user could query keylime and conclude that a parcitular node/agent is correctly attested, while attestations are not in fact taking place. Short explanation: the keylime verifier creates periodic reports on the state of each attested agent. The keylime verifier runs a set of python asynchronous processes to challenge attested nodes and create reports on the outcome. The vulnerability consists of the above named python asynchronous processes failing silently, i.e. quitting without leaving behind a database entry, raising an error or producing even a mention of an error in a log. The silent failure can be triggered by a small set of transient network failure conditions; recoverable device driver crashes being one such condition we saw in the wild.
Already published: https://access.redhat.com/security/cve/CVE-2022-3500
SUSE-SU-2022:4204-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1204782 CVE References: CVE-2022-3500 JIRA References: Sources used: openSUSE Leap 15.4 (src): keylime-6.3.2-150400.4.14.1 SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): keylime-6.3.2-150400.4.14.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.