Описание
Keylime registrar is vulnerable to Denial-of-Service attack when updated to version 7.12.0
Impact
The Keylime registrar implemented more strict type checking on version 7.12.0. As a result, when updated to version 7.12.0, the registrar will not accept the format of the data previously stored in the database by versions >= 7.8.0, raising an exception.
This makes the Keylime registrar vulnerable to a Denial-of-Service attack in an update scenario, as an attacker could populate the registrar database by creating multiple valid agent registrations with different UUIDs while the version is still < 7.12.0. Then, when the Keylime registrar is updated to the 7.12.0 version, any query to the database matching any of the entries populated by the attacker will result in failure.
Patches
Users should upgrade to versions >= 7.12.1
Workarounds
- Remove the registrar database and re-register all agents
Credit
Reported by: Anderson Toshiyuki Sasaki/@ansasaki Patched by: Anderson Toshiyuki Sasaki/@ansasaki
Ссылки
- https://github.com/keylime/keylime/security/advisories/GHSA-9jxq-5x44-gx23
- https://nvd.nist.gov/vuln/detail/CVE-2025-1057
- https://github.com/keylime/keylime/commit/e08b10d86c3717006774e787542c190e2ba24fc7
- https://access.redhat.com/security/cve/CVE-2025-1057
- https://bugzilla.redhat.com/show_bug.cgi?id=2343894
Пакеты
keylime
= 7.12.0
7.12.1
Связанные уязвимости
A flaw was found in Keylime, a remote attestation solution, where strict type checking introduced in version 7.12.0 prevents the registrar from reading database entries created by previous versions, for example, 7.11.0. Specifically, older versions store agent registration data as bytes, whereas the updated registrar expects str. This issue leads to an exception when processing agent registration requests, causing the agent to fail.
A flaw was found in Keylime, a remote attestation solution, where strict type checking introduced in version 7.12.0 prevents the registrar from reading database entries created by previous versions, for example, 7.11.0. Specifically, older versions store agent registration data as bytes, whereas the updated registrar expects str. This issue leads to an exception when processing agent registration requests, causing the agent to fail.
A flaw was found in Keylime, a remote attestation solution, where strict type checking introduced in version 7.12.0 prevents the registrar from reading database entries created by previous versions, for example, 7.11.0. Specifically, older versions store agent registration data as bytes, whereas the updated registrar expects str. This issue leads to an exception when processing agent registration requests, causing the agent to fail.