CVE-2023-43633
published 2023-09-21CVE-2023-43633: On boot, the Pillar eve container checks for the existence and content of “/config/GlobalConfig/global.json”. If the file exists, it overrides the existing…
PriorityP347high8.8CVSS 3.1
AVLACLPRLUINSCCHIHAH
EPSS
0.16%
5.6th percentile
On boot, the Pillar eve container checks for the existence and content of
“/config/GlobalConfig/global.json”.
If the file exists, it overrides the existing configuration on the device on boot.
This allows an attacker to change the system’s configuration, which also includes some
debug functions.
This could be used to unlock the ssh with custom “authorized_keys” via the
“debug.enable.ssh” key, similar to the “authorized_keys” finding that was noted before.
Other usages include unlocking the usb to enable the keyboard via the “debug.enable.usb”
key, allowing VNC access via the “app.allow.vnc” key, and more.
An attacker could easily enable these debug functionalities without triggering the “measured
boot” mechanism implemented by EVE OS, and without marking the device as “UUD”
(“Unknown Update Detected”).
This is because the “/config” partition is not protected by “measured boot”, it is mutable and it
is not encrypted in any way.
An attacker can gain full control over the device without changing the PCR values, thereby not
triggering the “measured boot” mechanism, and having full access to the vault.
Note:
This issue was partially fixed in these commits (after disclosure to Zededa), where the config
partition measurement was added to PCR13:
• aa3501d6c57206ced222c33aea15a9169d629141
• 5fef4d92e75838cc78010edaed5247dfbdae1889.
This issue was made viable in version 9.0.0 when the calculation was moved to PCR14 but it was not included in the measured boot.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | lf-edge_eve | >= 0 < 0.0.0-20220708121648-5fef4d92e758 | 0.0.0-20220708121648-5fef4d92e758 |
| lf-edge_zededa | eve_os | < 8.6.0 | 8.6.0 |
| lf-edge_zededa | eve_os | >= 9.0.0 < 9.5.0 | 9.5.0 |
| lfedge | eve | < 8.6.0 | 8.6.0 |
| lfedge | eve | >= 9.0.0 < 9.5.0 | 9.5.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
EVE's Debug Functions Unlockable Without Triggering Measured Boot in github.com/lf-edge/eve
osv·2026-02-05
CVE-2023-43633 EVE's Debug Functions Unlockable Without Triggering Measured Boot in github.com/lf-edge/eve
EVE's Debug Functions Unlockable Without Triggering Measured Boot in github.com/lf-edge/eve
EVE's Debug Functions Unlockable Without Triggering Measured Boot in github.com/lf-edge/eve
OSV
EVE's Debug Functions Unlockable Without Triggering Measured Boot
osv·2026-02-04
CVE-2023-43633 [MEDIUM] EVE's Debug Functions Unlockable Without Triggering Measured Boot
EVE's Debug Functions Unlockable Without Triggering Measured Boot
### Impact
On boot, Pillar checks for /config/GlobalConfig/global.json and overrides system configuration if present. This allows enabling debug functions like SSH (debug.enable.ssh), USB keyboard (debug.enable.usb), and VNC access (app.allow.vnc) without triggering the measured boot. Thus, a user with physical access can take out the disk and modify the content of this file in the /config partition and then re-insert the disk.
### Patches
Fixed in 10.1.0 and 9.4.3-lts
### Workarounds
None
GHSA
EVE's Debug Functions Unlockable Without Triggering Measured Boot
ghsa·2026-02-04
CVE-2023-43633 [MEDIUM] CWE-522 EVE's Debug Functions Unlockable Without Triggering Measured Boot
EVE's Debug Functions Unlockable Without Triggering Measured Boot
### Impact
On boot, Pillar checks for /config/GlobalConfig/global.json and overrides system configuration if present. This allows enabling debug functions like SSH (debug.enable.ssh), USB keyboard (debug.enable.usb), and VNC access (app.allow.vnc) without triggering the measured boot. Thus, a user with physical access can take out the disk and modify the content of this file in the /config partition and then re-insert the disk.
### Patches
Fixed in 10.1.0 and 9.4.3-lts
### Workarounds
None
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-09-21
Published