blob: d303f4104b2d504b3cb6ecd1d0277b296bd7f890 [file] [log] [blame]
id: GO-2022-0294
modules:
- module: github.com/google/go-attestation
versions:
- fixed: 0.4.0
vulnerable_at: 0.3.2
packages:
- package: github.com/google/go-attestation/attest
symbols:
- AKPublic.validate12Quote
- AKPublic.validate20Quote
derived_symbols:
- AKPublic.Verify
- TPM.AttestPlatform
summary: Improper input validation in github.com/google/go-attestation
description: |-
A local attacker can defeat remotely-attested measured boot.
Improper input validation in AKPublic.Verify can cause it to succeed when
provided with a maliciously-formed Quote over no/some PCRs. Subsequent use of
the same set of PCR values in Eventlog.Verify lacks the authentication performed
by quote verification, meaning a local attacker can couple this vulnerability
with a maliciously-formed TCG log in Eventlog.Verify to spoof events in the TCG
log, defeating remotely-attested measured-boot.
published: 2022-07-15T23:27:21Z
cves:
- CVE-2022-0317
ghsas:
- GHSA-99cg-575x-774p
credits:
- Nikki VonHollen
references:
- fix: https://github.com/google/go-attestation/commit/82f2c9c2c76e1d3691d17ee78116d1d93a123788