Impact
An improper input validation vulnerability in go-attestation before 0.3.3 allows local users to provide a maliciously-formed Quote over no/some PCRs, causing AKPublic.Verify to succeed despite the inconsistency. Subsequent use of the same set of PCR values in Eventlog.Verify lacks the authentication performed by quote verification, meaning a local attacker could couple this vulnerability with a maliciously-crafted TCG log in Eventlog.Verify to spoof events in the TCG log, hence defeating remotely-attested measured-boot.
Patches
This issue is resolved in version 0.4.0. If your usage of this library verifies PCRs using multiple quotes, make sure to use the new method AKPublic.VerifyAll() instead of AKPublic.Verify.
Impact
An improper input validation vulnerability in go-attestation before 0.3.3 allows local users to provide a maliciously-formed Quote over no/some PCRs, causing
AKPublic.Verifyto succeed despite the inconsistency. Subsequent use of the same set of PCR values inEventlog.Verifylacks the authentication performed by quote verification, meaning a local attacker could couple this vulnerability with a maliciously-crafted TCG log inEventlog.Verifyto spoof events in the TCG log, hence defeating remotely-attested measured-boot.Patches
This issue is resolved in version 0.4.0. If your usage of this library verifies PCRs using multiple quotes, make sure to use the new method
AKPublic.VerifyAll()instead ofAKPublic.Verify.