ArchLinux: 202106-55: tpm2-tools: man-in-the-middle | LinuxSecurity...
Arch Linux Security Advisory ASA-202106-55
==========================================

Severity: Low
Date    : 2021-06-22
CVE-ID  : CVE-2021-3565
Package : tpm2-tools
Type    : man-in-the-middle
Remote  : No
Link    : https://security.archlinux.org/AVG-1986

Summary
=======

The package tpm2-tools before version 5.1.1-1 is vulnerable to man-in-
the-middle.

Resolution
==========

Upgrade to 5.1.1-1.

# pacman -Syu "tpm2-tools>=5.1.1-1"

The problem has been fixed upstream in version 5.1.1.

Workaround
==========

None.

Description
===========

A security issue was found in tpm2-tools before version 5.1.1.
tpm2_import used a fixed AES key for the inner wrapper, potentially
allowing a man-in-the-middle (MITM) attacker to unwrap the inner
portion and reveal the key being imported.

Impact
======

A local attacker could disclose the secret portion of a key while it is
being imported into the TPM.

References
==========

https://bugzilla.redhat.com/show_bug.cgi?id=1964427
https://github.com/tpm2-software/tpm2-tools/issues/2738
https://github.com/tpm2-software/tpm2-tools/pull/2739
https://github.com/tpm2-software/tpm2-tools/commit/47b3b6e6fffed7080a2f1ce7673207ea44823ef7
https://security.archlinux.org/CVE-2021-3565

ArchLinux: 202106-55: tpm2-tools: man-in-the-middle

June 24, 2021

Summary

A security issue was found in tpm2-tools before version 5.1.1. tpm2_import used a fixed AES key for the inner wrapper, potentially allowing a man-in-the-middle (MITM) attacker to unwrap the inner portion and reveal the key being imported.

Resolution

Upgrade to 5.1.1-1.
# pacman -Syu "tpm2-tools>=5.1.1-1"
The problem has been fixed upstream in version 5.1.1.

References

https://bugzilla.redhat.com/show_bug.cgi?id=1964427 https://github.com/tpm2-software/tpm2-tools/issues/2738 https://github.com/tpm2-software/tpm2-tools/pull/2739 https://github.com/tpm2-software/tpm2-tools/commit/47b3b6e6fffed7080a2f1ce7673207ea44823ef7 https://security.archlinux.org/CVE-2021-3565

Severity
CVE-ID : CVE-2021-3565
Package : tpm2-tools
Type : man-in-the-middle
Remote : No
Link : https://security.archlinux.org/AVG-1986

Impact

A local attacker could disclose the secret portion of a key while it is being imported into the TPM.

Workaround

None.

Related News

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.