CVE-2023-3674 — Mutable Attestation or Measurement Reporting Data in Keylime

CWE-1283 — Mutable Attestation or Measurement Reporting Data CWE-1341 — Multiple Releases of Same Resource or Handle7 documents5 sources

Severity

2.8LOWNVD

CNA2.3

EPSS

0.0%

top 92.79%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Keylime Fedoraproject Fedora

Timeline

PublishedJul 19

Latest updateOct 4

Description

A flaw was found in the keylime attestation verifier, which fails to flag a device's submitted TPM quote as faulty when the quote's signature does not validate for some reason. Instead, it will only emit an error in the log without flagging the device as untrusted.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:NExploitability: 1.3 | Impact: 1.4

Affected Packages2 packages

▶NVDkeylime/keylime< 7.2.5

▶PyPIkeylime/keylime< 7.2.5+1

Also affects: Fedora 38

Patches

Patch: bugzilla.redhat.com ↗Patch: github.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

OSV

keylime fails to flag device as untrusted when signature does not validate↗2023-07-19

▶

CVEList

Keylime: attestation failure when the quote's signature does not validate↗2023-07-19

▶

OSV

CVE-2023-3674: A flaw was found in the keylime attestation verifier, which fails to flag a device's submitted TPM quote as faulty when the quote's signature does not↗2023-07-19

▶

GHSA

keylime fails to flag device as untrusted when signature does not validate↗2023-07-19

▶

📋Vendor Advisories

Red Hat

kernel: jfs: fix invalid free of JFS_IP(ipimap)->i_imap in diUnmount↗2025-10-04

▶

Red Hat

keylime: Attestation failure when the quote's signature does not validate↗2023-07-12

▶