keylime-agent-6.4.0-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:12104 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z keylime-agent-6.4.0-1.1 on GA media These are all security issues fixed in the keylime-agent-6.4.0-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-12104 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:12104 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2022-1053/ SUSE CVE CVE-2022-1053 page openSUSE Tumbleweed keylime-agent-6.4.0-1.1 keylime-config-6.4.0-1.1 keylime-firewalld-6.4.0-1.1 keylime-registrar-6.4.0-1.1 keylime-tpm_cert_store-6.4.0-1.1 keylime-verifier-6.4.0-1.1 python310-keylime-6.4.0-1.1 python38-keylime-6.4.0-1.1 python39-keylime-6.4.0-1.1 keylime-agent-6.4.0-1.1 as a component of openSUSE Tumbleweed keylime-config-6.4.0-1.1 as a component of openSUSE Tumbleweed keylime-firewalld-6.4.0-1.1 as a component of openSUSE Tumbleweed keylime-registrar-6.4.0-1.1 as a component of openSUSE Tumbleweed keylime-tpm_cert_store-6.4.0-1.1 as a component of openSUSE Tumbleweed keylime-verifier-6.4.0-1.1 as a component of openSUSE Tumbleweed python310-keylime-6.4.0-1.1 as a component of openSUSE Tumbleweed python38-keylime-6.4.0-1.1 as a component of openSUSE Tumbleweed python39-keylime-6.4.0-1.1 as a component of openSUSE Tumbleweed Keylime does not enforce that the agent registrar data is the same when the tenant uses it for validation of the EK and identity quote and the verifier for validating the integrity quote. This allows an attacker to use one AK, EK pair from a real TPM to pass EK validation and give the verifier an AK of a software TPM. A successful attack breaks the entire chain of trust because a not validated AK is used by the verifier. This issue is worse if the validation happens first and then the agent gets added to the verifier because the timing is easier and the verifier does not validate the regcount entry being equal to 1, CVE-2022-1053 openSUSE Tumbleweed:keylime-agent-6.4.0-1.1 openSUSE Tumbleweed:keylime-config-6.4.0-1.1 openSUSE Tumbleweed:keylime-firewalld-6.4.0-1.1 openSUSE Tumbleweed:keylime-registrar-6.4.0-1.1 openSUSE Tumbleweed:keylime-tpm_cert_store-6.4.0-1.1 openSUSE Tumbleweed:keylime-verifier-6.4.0-1.1 openSUSE Tumbleweed:python310-keylime-6.4.0-1.1 openSUSE Tumbleweed:python38-keylime-6.4.0-1.1 openSUSE Tumbleweed:python39-keylime-6.4.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-1053.html CVE-2022-1053 https://bugzilla.suse.com/1199253 SUSE Bug 1199253