Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1yMmg1LTNoZ3ctOGozNM4AAxt2
User data in TPM attestation vulnerable to MITM
Impact
Attestation user data (such as the digest of the public key in an aTLS connection) was bound to the issuer's TPM, but not to its PCR state. An attacker could intercept a node initialization, initialize the node themselves, and then impersonate an uninitialized node to the validator. In practice, this meant that a CSP insider with sufficient privileges would have been able to join a node under their control to a Constellation cluster.
Patches
The issue has been patched in v2.5.2.
Workarounds
none
Permalink: https://github.com/advisories/GHSA-r2h5-3hgw-8j34JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yMmg1LTNoZ3ctOGozNM4AAxt2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: about 1 year ago
Identifiers: GHSA-r2h5-3hgw-8j34
References:
- https://github.com/edgelesssys/constellation/security/advisories/GHSA-r2h5-3hgw-8j34
- https://github.com/edgelesssys/constellation/releases/tag/v2.5.2
- https://github.com/advisories/GHSA-r2h5-3hgw-8j34
Blast Radius: 0.0
Affected Packages
go:github.com/edgelesssys/constellation/v2
Dependent packages: 2Dependent repositories: 1
Downloads:
Affected Version Ranges: <= 2.5.1
Fixed in: 2.5.2
All affected versions: 2.0.0, 2.1.0, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.4.0, 2.5.0, 2.5.1
All unaffected versions: 2.5.2, 2.5.3, 2.6.0, 2.7.0, 2.7.1, 2.8.0, 2.9.0, 2.9.1, 2.10.0, 2.10.1, 2.11.0, 2.12.0, 2.13.0, 2.14.0, 2.14.1, 2.14.2, 2.14.3, 2.15.0, 2.15.1, 2.16.0, 2.16.1, 2.16.2