CVE-2024-29038 — Mutable Attestation or Measurement Reporting Data in Project Tpm2-tools

CWE-1283 — Mutable Attestation or Measurement Reporting Data CWE-1390 — Weak Authentication CWE-20 — Improper Input Validation5 documents5 sources

Severity

3.3LOWNVD

EPSS

0.1%

top 70.97%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tpm2-tools Project Tpm2-tools Debian Tpm2-tools Tpm2-software Tpm2-tools +4 more

Timeline

PublishedJun 28

Description

tpm2-tools is the source repository for the Trusted Platform Module (TPM2.0) tools. A malicious attacker can generate arbitrary quote data which is not detected by `tpm2 checkquote`. This issue was patched in version 5.7.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 1.8 | Impact: 1.4

Affected Packages8 packages

▶debiandebian/tpm2-tools< tpm2-tools 5.7-1 (forky)

▶NVDtpm2-tools_project/tpm2-tools4.1 — 5.5.1+1

▶Debiantpm2-tools_project/tpm2-tools< 5.7-1+1

▶CVEListV5tpm2-software/tpm2-tools>= 4.1-rc0, < 5.7

▶msrcmsrc/azl3_tpm2-tools_5.5.1-1_on_azure_linux_3.0

🔴Vulnerability Details

OSV

CVE-2024-29038: tpm2-tools is the source repository for the Trusted Platform Module (TPM2↗2024-06-28

▶

📋Vendor Advisories

Microsoft

tpm2 does not detect if quote was not generated by TPM↗2024-06-11

▶

Red Hat

tpm2-tools: arbitrary quote data may go undetected by tpm2_checkquote↗2024-04-30

▶

Debian

CVE-2024-29038: tpm2-tools - tpm2-tools is the source repository for the Trusted Platform Module (TPM2.0) too...↗2024

▶