CVE-2021-3446Use of a Broken or Risky Cryptographic Algorithm in Project Libtpms

CWE-327Use of a Broken or Risky Cryptographic AlgorithmCWE-330Use of Insufficiently Random Values6 documents6 sources
Severity
5.5MEDIUMNVD
EPSS
0.0%
top 85.51%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Libtpms Project LibtpmsFedoraproject FedoraRedhat Enterprise Linux
Timeline
PublishedMar 25
Latest updateMay 24

Description

A flaw was found in libtpms in versions before 0.8.2. The commonly used integration of libtpms with OpenSSL contained a vulnerability related to the returned IV (initialization vector) when certain symmetric ciphers were used. Instead of returning the last IV it returned the initial IV to the caller, thus weakening the subsequent encryption and decryption steps. The highest threat from this vulnerability is to data confidentiality.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

Debianlibtpms_project/libtpms< 0.8.2-1+2
CVEListV5libtpms_project/libtpmslibtpms 0.8.2

Also affects: Fedora 33, Enterprise Linux 8.0

Patches

Patch: bugzilla.redhat.comPatch: bugzilla.redhat.com

🔴Vulnerability Details

3
GHSA
GHSA-3cfm-94xc-h7hp: A flaw was found in libtpms in versions before 02022-05-24
CVEList
CVE-2021-3446: A flaw was found in libtpms in versions before 02021-03-25
OSV
CVE-2021-3446: A flaw was found in libtpms in versions before 02021-03-25

📋Vendor Advisories

2
Red Hat
libtpms: return of wrong initialization vector when certain symmetric ciphers are used2021-03-01
Debian
CVE-2021-3446: libtpms - A flaw was found in libtpms in versions before 0.8.2. The commonly used integrat...2021
CVE-2021-3446 — Libtpms Project Libtpms vulnerability | cvebase