CVE-2017-16837 — Improper Input Validation in Boot Project Trusted Boot

CWE-20 — Improper Input Validation8 documents6 sources

Severity

7.8HIGHNVD

OSV9.8

EPSS

0.1%

top 69.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Ansible Trusted Boot Project Trusted Boot Debian Tboot

Timeline

PublishedNov 16

Latest updateMay 14

Description

Certain function pointers in Trusted Boot (tboot) through 1.9.6 are not validated and can cause arbitrary code execution, which allows local users to overwrite dynamic PCRs of Trusted Platform Module (TPM) by hooking these function pointers.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

▶NVDtrusted_boot_project/trusted_boot1.9.6

▶debiandebian/tboot

▶Ubunturedhat/ansible< 2.0.0.2-2ubuntu1.3+1

Patches

Patch: sourceforge.net ↗Patch: sourceforge.net ↗

🔴Vulnerability Details

GHSA

GHSA-86m6-cj8w-2c48: Certain function pointers in Trusted Boot (tboot) through 1↗2022-05-14

▶

OSV

ansible vulnerabilities↗2019-07-24

▶

OSV

CVE-2017-16837: Certain function pointers in Trusted Boot (tboot) through 1↗2017-11-16

▶

📋Vendor Advisories

Red Hat

tboot: Incorrect validation of certain function pointers↗2017-11-13

▶

Debian

CVE-2017-16837: tboot - Certain function pointers in Trusted Boot (tboot) through 1.9.6 are not validate...↗2017

▶

💬Community

Bugzilla

CVE-2017-16837 tboot: Incorrect validation of certain function pointers [fedora-all]↗2017-11-20

▶

Bugzilla

CVE-2017-16837 tboot: Incorrect validation of certain function pointers↗2017-11-20

▶