Lf-Edge Zededa Eve Os vulnerabilities
8 known vulnerabilities affecting lf-edge_zededa/eve_os.
Total CVEs
8
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH7
Vulnerabilities
Page 1 of 1
CVE-2023-43632P2CRITICALCVSS 9.9≥ 3.0.0, < 9.5.02023-09-21
CVE-2023-43632 [CRITICAL] CWE-789 CVE-2023-43632: As noted in the “VTPM.md” file in the eve documentation, “VTPM is a server listening on port 8877 i
As noted in the “VTPM.md” file in the eve documentation, “VTPM is a server listening on port
8877 in EVE, exposing limited functionality of the TPM to the clients.
VTPM allows clients to
execute tpm2-tools binaries from a list of hardcoded options”
The communication with this server is done using protobuf, and the data is comprised of 2
parts:
1.
nvd
CVE-2023-43633P3HIGHCVSS 8.8fixed in 8.6.0≥ 9.0.0, < 9.5.02023-09-21
CVE-2023-43633 [HIGH] CWE-522 CVE-2023-43633: On boot, the Pillar eve container checks for the existence and content of “/config/GlobalConfig/glo
On boot, the Pillar eve container checks for the existence and content of
“/config/GlobalConfig/global.json”.
If the file exists, it overrides the existing configuration on the device on boot.
This allows an attacker to change the system’s configuration, which also includes some
debug functions.
This could be used to unlock the ssh with custom “auth
nvd
CVE-2023-43634P3HIGHCVSS 8.8fixed in 8.6.0≥ 9.0.0, < 9.5.02023-09-21
CVE-2023-43634 [HIGH] CWE-522 CVE-2023-43634: When sealing/unsealing the “vault” key, a list of PCRs is used, which defines which PCRs are used.
When sealing/unsealing the “vault” key, a list of PCRs is used, which defines which PCRs
are used.
In a previous project, CYMOTIVE found that the configuration is not protected by the secure
boot, and in response Zededa implemented measurements on the config partition that was
mapped to PCR 13.
In that process, PCR 13 was added to the list of PCRs tha
nvd
CVE-2023-43631P3HIGHCVSS 8.8fixed in 8.6.0≥ 9.0.0, < 9.5.02023-09-21
CVE-2023-43631 [HIGH] CWE-522 CVE-2023-43631: On boot, the Pillar eve container checks for the existence and content of “/config/authorized_keys”
On boot, the Pillar eve container checks for the existence and content of
“/config/authorized_keys”.
If the file is present, and contains a supported public key, the container will go on to open
port 22 and enable sshd with the given keys as the authorized keys for root login.
An attacker could easily add their own keys and gain full control over the
nvd
CVE-2023-43636P3HIGHCVSS 8.8≥ 9.0.0, < 9.5.0fixed in 8.6.02023-09-20
CVE-2023-43636 [HIGH] CWE-345 CVE-2023-43636: In EVE OS, the “measured boot” mechanism prevents a compromised device from accessing the encrypt
In EVE OS, the “measured boot” mechanism prevents a compromised device from accessing
the encrypted data located in the vault.
As per the “measured boot” design, the PCR values calculated at different stages of the boot
process will change if any of their respective parts are changed.
This includes, among other things, the configuration of the bios, gr
nvd
CVE-2023-43635P3HIGHCVSS 8.8fixed in 9.5.02023-09-20
CVE-2023-43635 [HIGH] CWE-328 CVE-2023-43635: Vault Key Sealed With SHA1 PCRs The measured boot solution implemented in EVE OS leans on a P
Vault Key Sealed With SHA1 PCRs
The measured boot solution implemented in EVE OS leans on a PCR locking mechanism.
Different parts of the system update different PCR values in the TPM, resulting in a unique
value for each PCR entry.
These PCRs are then used in order to seal/unseal a key from the TPM which is used to
encrypt/decrypt the “vault” directory.
nvd
CVE-2023-43630P3HIGHCVSS 8.8≥ 9.0.0, < 9.5.02023-09-20
CVE-2023-43630 [HIGH] CWE-328 CVE-2023-43630: PCR14 is not in the list of PCRs that seal/unseal the “vault” key, but due to the change that was im
PCR14 is not in the list of PCRs that seal/unseal the “vault” key, but
due to the change that was implemented in commit
“7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4”, fixing this issue alone would not solve the
problem of the config partition not being measured correctly.
Also, the “vault” key is sealed/unsealed with SHA1 PCRs instead of
SHA256.
This is
nvd
CVE-2023-43637P3HIGHCVSS 7.8fixed in 7.102023-09-21
CVE-2023-43637 [HIGH] CWE-321 CVE-2023-43637: Due to the implementation of "deriveVaultKey", prior to version 7.10, the generated vault key would
Due to the implementation of "deriveVaultKey", prior to version 7.10, the generated vault key
would always have the last 16 bytes predetermined to be "arfoobarfoobarfo".
This issue happens because "deriveVaultKey" calls "retrieveCloudKey" (which will always
return "foobarfoobarfoobarfoobarfoobarfo" as the key), and then merges the 32byte
randomly gene
nvd