Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05OWNnLTU3NXgtNzc0cM0n8w
Go-Attestation Improper Input Validation with attacker-controlled TPM Quote
Impact
An improper input validation vulnerability in go-attestation before 0.4.0 allows local users to provide a maliciously-formed Quote over no/some PCRs, causing AKPublic.Verify to succeed despite the inconsistency. Subsequent use of the same set of PCR values in Eventlog.Verify lacks the authentication performed by quote verification, meaning a local attacker could couple this vulnerability with a maliciously-crafted TCG log in Eventlog.Verify to spoof events in the TCG log, hence defeating remotely-attested measured-boot.
Patches
This issue is resolved in version 0.4.0. If your usage of this library verifies PCRs using multiple quotes, make sure to use the new method AKPublic.VerifyAll() instead of AKPublic.Verify.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05OWNnLTU3NXgtNzc0cM0n8w
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: 8 months ago
CVSS Score: 4.0
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Identifiers: GHSA-99cg-575x-774p, CVE-2022-0317
References:
- https://github.com/google/go-attestation/security/advisories/GHSA-99cg-575x-774p
- https://github.com/google/go-attestation/commit/82f2c9c2c76e1d3691d17ee78116d1d93a123788
- https://nvd.nist.gov/vuln/detail/CVE-2022-0317
- https://pkg.go.dev/vuln/GO-2022-0294
- https://github.com/advisories/GHSA-99cg-575x-774p
Blast Radius: 8.7
Affected Packages
go:github.com/google/go-attestation
Dependent packages: 52Dependent repositories: 151
Downloads:
Affected Version Ranges: < 0.4.0
Fixed in: 0.4.0
All affected versions: 0.1.1, 0.1.2, 0.1.3, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.3.0, 0.3.1, 0.3.2
All unaffected versions: 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.5.0, 0.5.1