To exploit this issue, an attacker would need to perform the following steps: 1. Craft a request to the agent that resets the U and V keys as if the agent were being re-added to a verifier. 2. Send this request to the agent. 3. If successful, the request will be processed, resulting in remote code execution. An attacker can use this issue to perform remote code execution by sending a crafted request to the agent. This issue was addressed by upgrading to Keylime 6.4.0 or later. This issue was addressed by upgrading to Keylime 6.4.0 or later.

In some circumstances, agents that receive an invalid UUID reset request from an unverified agent can cause the agent to crash. This can lead to a denial of service.

An attacker can use this issue to cause an agent to crash. This issue was addressed by upgrading to Keylime 6.4.0 or later.

Summary

This issue was addressed by upgrading to Keylime 6.4.0 or later.

In some circumstances, agents that receive an invalid UUID reset request from an unverified agent can cause the agent to crash. This can lead to a denial of service. An attacker can use this issue to cause an agent to crash, which can lead to remote code execution.

How to Update to Keylime 6.4.0 or Later

To update to Keylime 6.4.0 or later, follow these instructions:
1. Download the upgrade package from the Keylime website
2. Extract the upgrade package and run the upgrade command in a terminal window

Timeline

Published on: 09/21/2022 19:15:00 UTC
Last modified on: 09/22/2022 16:19:00 UTC

References