Bugzilla – Bug 1213310
VUL-0: CVE-2023-38200: keylime: registrar is subject to a DoS against SSL connections
Last modified: 2023-08-08 20:30:14 UTC
CVE-2023-38200 The Keylime Registrar is subject to a DoS attack against it's SSL connections because they are blocking and a fairly simple attack could exhaust all of the available connections. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-38200 https://bugzilla.redhat.com/show_bug.cgi?id=2222692
https://github.com/keylime/keylime/pull/1421
Impact Keylime registrar is prone to a simple denial of service attack in which an adversary opens a connection to the TLS port (by default, port 8891) blocking further, legitimate connections. As long as the connection is open, the registrar is blocked and cannot serve any further clients (agents and tenants), which prevents normal operation. The problem does not affect the verifier. Patches Users should upgrade to release 7.4.0 Credit Reported by: Florian Kohnhäuser/@flozilla Patched-by: Florian Kohnhäuser/@flozilla https://github.com/keylime/keylime/security/advisories/GHSA-pg75-v6fp-8q59
Update Factory and SUSE:SLE-15-SP4
SUSE-SU-2023:3245-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1213310 CVE References: CVE-2023-38200 Sources used: openSUSE Leap 15.4 (src): keylime-6.3.2-150400.4.17.1 openSUSE Leap 15.5 (src): keylime-6.3.2-150400.4.17.1 Basesystem Module 15-SP4 (src): keylime-6.3.2-150400.4.17.1 Basesystem Module 15-SP5 (src): keylime-6.3.2-150400.4.17.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.