CVE-2023-43635

<br /> Vault Key Sealed With SHA1 PCRs<br /> <br /> <br /> <br /> <br /> <br /> <br /> The measured boot solution implemented in EVE OS leans on a PCR locking mechanism.<br /> <br /> Different parts of the system update different PCR values in the TPM, resulting in a unique<br /> value for each PCR entry.<br /> <br /> These PCRs are then used in order to seal/unseal a key from the TPM which is used to<br /> encrypt/decrypt the “vault” directory.<br /> <br /> This “vault” directory is the most sensitive point in the system and as such, its content should<br /> be protected.<br /> <br /> This mechanism is noted in Zededa’s documentation as the “measured boot” mechanism,<br /> designed to protect said “vault”.<br /> <br /> The code that’s responsible for generating and fetching the key from the TPM assumes that<br /> SHA256 PCRs are used in order to seal/unseal the key, and as such their presence is being<br /> checked.<br /> <br /> The issue here is that the key is not sealed using SHA256 PCRs, but using SHA1 PCRs.<br /> This leads to several issues:<br /> <br /> • Machines that have their SHA256 PCRs enabled but SHA1 PCRs disabled, as well<br /> as not sealing their keys at all, meaning the “vault” is not protected from an attacker.<br /> <br /> • SHA1 is considered insecure and reduces the complexity level required to unseal the<br /> key in machines which have their SHA1 PCRs enabled.<br /> <br /> <br /> <br /> An attacker can very easily retrieve the contents of the “vault”, which will effectively render<br /> the “measured boot” mechanism meaningless.<br /> <br /> <br /> <br /> <br /> <br />