Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2021-3505

Опубликовано: 14 апр. 2020
Источник: redhat
CVSS3: 4

Описание

A flaw was found in libtpms in versions before 0.8.0. The TPM 2 implementation returns 2048 bit keys with ~1984 bit strength due to a bug in the TCG specification. The bug is in the key creation algorithm in RsaAdjustPrimeCandidate(), which is called before the prime number check. The highest threat from this vulnerability is to data confidentiality.

A flaw was found in libtpms. The TPM 2 implementation returns 2048 bit keys with ~1984 bit strength due to a bug in the TCG specification. The bug is in the key creation algorithm in RsaAdjustPrimeCandidate(), which is called before the prime number check. The highest threat from this vulnerability is to data confidentiality.

Отчет

Versions of libtpms prior to 0.8.0 generate weaker than expected TPM 2 RSA keys due to the flawed key creation algorithm. Red Hat Enterprise Linux 8 Advanced Virtualization is therefore affected by this flaw, as it ships an older version of the package (0.7.x).

Меры по смягчению последствий

There is no mitigation for this issue. Upgrading to a fixed release (0.8.0+) is necessary but not sufficient. The only way to fix it is to unseal all data, delete the old TPM state file, generate a new one with the fixed key generation algorithm, then reseal the data.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 8 Advanced Virtualizationvirt:8.2/libtpmsFix deferred
Red Hat Enterprise Linux 8 Advanced Virtualizationvirt:8.3/libtpmsFix deferred
Red Hat Enterprise Linux 8 Advanced Virtualizationvirt:av/libtpmsFix deferred
Red Hat Enterprise Linux 9libtpmsNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Low
Дефект:
CWE-331
https://bugzilla.redhat.com/show_bug.cgi?id=1950046libtpms: RSA keys weaker than expected

4 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2021-3505

CVSS3: 5.5
ubuntu
больше 4 лет назад

A flaw was found in libtpms in versions before 0.8.0. The TPM 2 implementation returns 2048 bit keys with ~1984 bit strength due to a bug in the TCG specification. The bug is in the key creation algorithm in RsaAdjustPrimeCandidate(), which is called before the prime number check. The highest threat from this vulnerability is to data confidentiality.

nvd логотип

CVE-2021-3505

CVSS3: 5.5
nvd
больше 4 лет назад

A flaw was found in libtpms in versions before 0.8.0. The TPM 2 implementation returns 2048 bit keys with ~1984 bit strength due to a bug in the TCG specification. The bug is in the key creation algorithm in RsaAdjustPrimeCandidate(), which is called before the prime number check. The highest threat from this vulnerability is to data confidentiality.

debian логотип

CVE-2021-3505

CVSS3: 5.5
debian
больше 4 лет назад

A flaw was found in libtpms in versions before 0.8.0. The TPM 2 implem ...

github логотип

GHSA-239j-gmhr-4pcm

github
около 3 лет назад

A flaw was found in libtpms in versions before 0.8.0. The TPM 2 implementation returns 2048 bit keys with ~1984 bit strength due to a bug in the TCG specification. The bug is in the key creation algorithm in RsaAdjustPrimeCandidate(), which is called before the prime number check. The highest threat from this vulnerability is to data confidentiality.

4 Medium

CVSS3