Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DMTF-2023-0001: SPDM mutual authentication bypass #2005

Closed
jyao1 opened this issue May 1, 2023 · 0 comments · Fixed by #2006
Closed

DMTF-2023-0001: SPDM mutual authentication bypass #2005

jyao1 opened this issue May 1, 2023 · 0 comments · Fixed by #2006
Assignees
@jyao1
Labels
bug Something isn't working security An issue that impacts security
Milestone
Q2 2023

Comments

@jyao1
Copy link
Member

jyao1 commented May 1, 2023
edited
Loading

A vulnerability has been identified in SPDM session establishment.
If a device supports both DHE session and PSK session with mutual
authentication, the attacker may be able to establish the session with
KEY_EXCHANGE and PSK_FINISH to bypass the mutual authentication. This
is most likely to happen when the Requester begins a session using
one method (DHE, for example) and then uses the other method's finish
(PSK_FINISH in this example) to establish the session. The session
hashes would be expected to fail in this case, but the condition was
not detected.

Impacted Function:

This issue only impacts the SPDM responder, which supports KEY_EX_CAP=1 and
PSK_CAP=10b at same time with mutual authentication requirement.
The SPDM requester is not impacted.
The SPDM responder is not impacted if KEY_EX_CAP=0 or PSK_CAP=0 or PSK_CAP=01b.
The SPDM responder is not impacted if mutual authentication is not required.

Severity scoring:

CVSS: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H - 9.0
Severity: Critical

Acknowledgement:

This issue was reported on 20 March 2023 by Cas Cremers cremers@cispa.de,
together with Naska, Aurora aurora.naska@cispa.de;
Dax, Alexander alexander.dax@cispa.de.

Advisory:

GHSA-qw76-4v8p-xq9f
jyao1 added a commit to jyao1/libspdm that referenced this issue May 1, 2023
@jyao1
Add handshake mode switch check in FINISH and PSK_FINISH.
e4bfb79 
Reference: DMTF-2023-0001

Fix: DMTF#2005

Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
@jyao1 jyao1 mentioned this issue May 1, 2023
Merged
@steven-bellock steven-bellock added bug Something isn't working security An issue that impacts security labels May 1, 2023
@steven-bellock steven-bellock added this to the Q1 2023 milestone May 1, 2023
jyao1 added a commit to jyao1/libspdm that referenced this issue May 1, 2023
@jyao1
Add handshake mode switch check in FINISH and PSK_FINISH.
8426a30 
Reference: DMTF-2023-0001

Fix: DMTF#2005

Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
@jyao1 jyao1 mentioned this issue May 1, 2023
Merged
jyao1 added a commit that referenced this issue May 2, 2023
@jyao1
Add handshake mode switch check in FINISH and PSK_FINISH.
4f86fb0 
Reference: DMTF-2023-0001

Fix: #2005

Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
jyao1 added a commit that referenced this issue May 2, 2023
@jyao1
Add handshake mode switch check in FINISH and PSK_FINISH.
3167bca 
Reference: DMTF-2023-0001

Fix: #2005

Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
@jyao1 jyao1 changed the title SPDM mutual authentication bypass DMTF-2023-0001: SPDM mutual authentication bypass May 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jyao1 jyao1

Labels
bug Something isn't working security An issue that impacts security
Projects
None yet
Milestone
Q2 2023
Development

Successfully merging a pull request may close this issue.

Add handshake mode switch check in FINISH and PSK_FINISH. jyao1/libspdm
2 participants
@steven-bellock @jyao1