ArchLinux: 202106-55: tpm2-tools: man-in-the-middle
Summary
A security issue was found in tpm2-tools before version 5.1.1. tpm2_import used a fixed AES key for the inner wrapper, potentially allowing a man-in-the-middle (MITM) attacker to unwrap the inner portion and reveal the key being imported.
Resolution
Upgrade to 5.1.1-1.
# pacman -Syu "tpm2-tools>=5.1.1-1"
The problem has been fixed upstream in version 5.1.1.
References
https://bugzilla.redhat.com/show_bug.cgi?id=1964427 https://github.com/tpm2-software/tpm2-tools/issues/2738 https://github.com/tpm2-software/tpm2-tools/pull/2739 https://github.com/tpm2-software/tpm2-tools/commit/47b3b6e6fffed7080a2f1ce7673207ea44823ef7 https://security.archlinux.org/CVE-2021-3565
Workaround
None.