PyPi: Keylime

CVE-2023-38201

Safety vulnerability ID: 64649

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Aug 25, 2023 Updated at Nov 29, 2024
Scan your Python projects for vulnerabilities →

Advisory

Keylime 7.5.0 resolves the CVE-2023-38201 vulnerability. This vulnerability, discovered in the Keylime registrar, allowed an attacker to bypass the challenge-response protocol during agent registration. By impersonating an agent and adding it to the verifier list, an attacker could potentially breach the integrity of the registrar database.

Affected package

keylime

Latest version: 7.10.0

TPM-based key bootstrapping and system integrity measurement system for cloud

Affected versions

Fixed versions

Vulnerability changelog

What's Changed

New features and significant changes:
* (Fix for [CVE-2023-38201](https://www.cvedetails.com/cve/CVE-2023-38201/), details on this [Security Advisory](https://github.com/keylime/keylime/security/advisories/GHSA-f4r5-q63f-gcww) ) Challenge-response protocol between Registrar and (untrusted) Agent can be bypassed by an attacker by maugustosilva in https://github.com/keylime/keylime/commit/9e5ac9f25cd400b16d5969f531cee28290543f2a
* mba: Manage the number of measured boot attestation by niteeshkd in https://github.com/keylime/keylime/pull/1433
* tpm_cert_store: add the Alibaba Cloud vTPM EK x509 cert by Jingshui1037 in https://github.com/keylime/keylime/pull/1448

Bugfixes:
* verifier: close session in worker_webhook function by kkaarreell in https://github.com/keylime/keylime/pull/1456
* elchecking/example: add ignores for EV_PLATFORM_CONFIG_FLAGS by THS-on in https://github.com/keylime/keylime/pull/1450
* verifier: should read parameters from verifier.conf only by maugustosilva in https://github.com/keylime/keylime/pull/1458
* templates/2.0/mapping.json: fix the default registrar_port error in the verifier config by Jingshui1037 in https://github.com/keylime/keylime/pull/1441

Testing/CI:
* Update container build workflow actions by ansasaki in https://github.com/keylime/keylime/pull/1447
* installer.sh: use the -i parameter variable to set the default binding and listening IP about the agent, verifier, and registrar server is 127.0.0.1 or 0.0.0.0 by Jingshui1037 in https://github.com/keylime/keylime/pull/1444
* requirements.txt: update the need sqlalchemy version to 1.3.12 and above. by Jingshui1037 in https://github.com/keylime/keylime/pull/1454

Code cleanup
* codestyle: Fix access to possibly not available package 'rpm' (pyright) by stefanberger in https://github.com/keylime/keylime/pull/1443

Documentation

Administrative
* Monthly release (7.5.0) by maugustosilva in https://github.com/keylime/keylime/pull/1460

New Contributors
* niteeshkd made their first contribution in https://github.com/keylime/keylime/pull/1433

**Full Changelog**: https://github.com/keylime/keylime/compare/v7.4.0...v7.5.0

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

MEDIUM 6.5

CVSS v3 Details

MEDIUM 6.5
Attack Vector (AV)
ADJACENT_NETWORK
Attack Complexity (AC)
LOW
Privileges Required (PR)
NONE
User Interaction (UI)
NONE
Scope (S)
UNCHANGED
Confidentiality Impact (C)
NONE
Integrity Impact (I)
HIGH
Availability Availability (A)
NONE