CVE-2023-43631
published 2023-09-21CVE-2023-43631: On boot, the Pillar eve container checks for the existence and content of “/config/authorized_keys”. If the file is present, and contains a supported public…
PriorityP346high8.8CVSS 3.1
AVLACLPRLUINSCCHIHAH
EPSS
0.16%
5.6th percentile
On boot, the Pillar eve container checks for the existence and content of
“/config/authorized_keys”.
If the file is present, and contains a supported public key, the container will go on to open
port 22 and enable sshd with the given keys as the authorized keys for root login.
An attacker could easily add their own keys and gain full control over the system without
triggering the “measured boot” mechanism implemented by EVE OS, and without marking
the device as “UUD” (“Unknown Update Detected”).
This is because the “/config” partition is not protected by “measured boot”, it is mutable, and
it is not encrypted in any way.
An attacker can gain full control over the device without changing the PCR values, thus not
triggering the “measured boot” mechanism, and having full access to the vault.
Note:
This issue was partially fixed in these commits (after disclosure to Zededa), where the config
partition measurement was added to PCR13:
• aa3501d6c57206ced222c33aea15a9169d629141
• 5fef4d92e75838cc78010edaed5247dfbdae1889.
This issue was made viable in version 9.0.0 when the calculation was moved to PCR14 but it was not included in the measured boot.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | lf-edge_eve | >= 0 < 0.0.0-20220708121648-5fef4d92e758 | 0.0.0-20220708121648-5fef4d92e758 |
| lf-edge_zededa | eve_os | < 8.6.0 | 8.6.0 |
| lf-edge_zededa | eve_os | >= 9.0.0 < 9.5.0 | 9.5.0 |
| linuxfoundation | edge_virtualization_engine | < 8.6.0 | 8.6.0 |
| linuxfoundation | edge_virtualization_engine | >= 9.0.0 < 9.5.0 | 9.5.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
EVE: SSH as Root Unlockable Without Triggering Measured Boot in github.com/lf-edge/eve
osv·2026-02-05
CVE-2023-43631 EVE: SSH as Root Unlockable Without Triggering Measured Boot in github.com/lf-edge/eve
EVE: SSH as Root Unlockable Without Triggering Measured Boot in github.com/lf-edge/eve
EVE: SSH as Root Unlockable Without Triggering Measured Boot in github.com/lf-edge/eve
OSV
EVE: SSH as Root Unlockable Without Triggering Measured Boot
osv·2026-02-04
CVE-2023-43631 [MEDIUM] EVE: SSH as Root Unlockable Without Triggering Measured Boot
EVE: SSH as Root Unlockable Without Triggering Measured Boot
### Impact
On boot, the Pillar container checks for /config/authorized_keys. If present with a valid public key, it enables SSH on port 22 with root login. The /config partition is not protected by measured boot, is mutable and unencrypted.
This enables an attacker with physical access to the device to take out the disk, modify the /config partition using a separate server, then insert it, without the inserted key being flagged as an integrity voilation my measured boot and remote attestation.
### Patches
Patched in 9.4.3-lts
### Workarounds
None (apart from preventing physical access to the device)
GHSA
EVE: SSH as Root Unlockable Without Triggering Measured Boot
ghsa·2026-02-04
CVE-2023-43631 [MEDIUM] CWE-522 EVE: SSH as Root Unlockable Without Triggering Measured Boot
EVE: SSH as Root Unlockable Without Triggering Measured Boot
### Impact
On boot, the Pillar container checks for /config/authorized_keys. If present with a valid public key, it enables SSH on port 22 with root login. The /config partition is not protected by measured boot, is mutable and unencrypted.
This enables an attacker with physical access to the device to take out the disk, modify the /config partition using a separate server, then insert it, without the inserted key being flagged as an integrity voilation my measured boot and remote attestation.
### Patches
Patched in 9.4.3-lts
### Workarounds
None (apart from preventing physical access to the device)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-09-21
Published