CVE-2021-4076 – A vulnerability in tang (network-based cryptogr... (How to Fix)

Q: What is the severity of CVE-2021-4076?

CVE-2021-4076 has a CVSS score of 7.5 (HIGH). A vulnerability in tang (network-based cryptographic binding server) allows private key leakage through improper handling of cryptographic operations. This affects systems running tang servers, potentially exposing sensitive cryptographic material to attackers. Organizations using tang for disk encryption or secure boot scenarios are at risk.

📋 TL;DR

A vulnerability in tang (network-based cryptographic binding server) allows private key leakage through improper handling of cryptographic operations. This affects systems running tang servers, potentially exposing sensitive cryptographic material to attackers. Organizations using tang for disk encryption or secure boot scenarios are at risk.

💻 Affected Systems

Products:

tang

Versions: Versions prior to tang-10-2 (specifically before commit e82459fda10f0630c3414ed2afbc6320bb9ea7c9)

Operating Systems: Linux distributions including RHEL, Fedora, CentOS, and other distributions packaging tang

Default Config Vulnerable: ⚠️ Yes

Notes: Any tang server running affected versions is vulnerable regardless of configuration.

📦 What is this software?

Tang by Tang Project

View all CVEs affecting Tang →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of encrypted data protected by tang, including disk encryption keys and secure boot chains, leading to data theft and system compromise.

🟠

Likely Case

Unauthorized access to private keys allowing decryption of data protected by tang, potentially exposing sensitive information.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls, but still represents a significant cryptographic vulnerability.

🌐 Internet-Facing: HIGH - Tang servers exposed to internet could leak private keys to remote attackers.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could exploit this to access private keys.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability appears to be exploitable without authentication through normal tang protocol interactions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: tang-10-2 or later (includes commit e82459fda10f0630c3414ed2afbc6320bb9ea7c9)

Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=2029814

Restart Required: Yes

Instructions:

1. Update tang package using your distribution's package manager. 2. For RHEL/CentOS: 'yum update tang'. 3. For Fedora: 'dnf update tang'. 4. Restart tang service: 'systemctl restart tangd.socket'.

🔧 Temporary Workarounds

Network Isolation

linux

Restrict network access to tang servers to only trusted clients

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="TRUSTED_NETWORK" port protocol="tcp" port="7500" accept'
firewall-cmd --reload

🧯 If You Can't Patch

Isolate tang servers in separate network segments with strict access controls
Monitor tang server logs for unusual access patterns or key retrieval attempts

🔍 How to Verify

Check if Vulnerable:

Check tang version: 'rpm -q tang' or 'dpkg -l | grep tang'. If version is earlier than 10-2, system is vulnerable.

Check Version:

rpm -q tang --queryformat '%{VERSION}-%{RELEASE}\n'

Verify Fix Applied:

Verify tang version is 10-2 or later and check that commit e82459fda10f0630c3414ed2afbc6320bb9ea7c9 is included in the build.

📡 Detection & Monitoring

Log Indicators:

Unusual frequency of key advertisement requests
Access from unexpected IP addresses to tang port 7500

Network Indicators:

Excessive traffic to tang port 7500 from single source
Pattern of repeated key retrieval requests

SIEM Query:

source="tang" AND (event="advertise" OR event="recrypt") | stats count by src_ip | where count > threshold

📊 Metadata

CVE ID: CVE-2021-4076

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-200

Published: March 2, 2022

Last Updated: November 21, 2024

🔗 References

https://bugzilla.redhat.com/show_bug.cgi?id=2029814 Issue Tracking,Third Party Advisory
https://github.com/latchset/tang/commit/e82459fda10f0630c3414ed2afbc6320bb9ea7c9 Patch,Third Party Advisory
https://github.com/latchset/tang/pull/81 Issue Tracking,Patch,Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2029814 Issue Tracking,Third Party Advisory
https://github.com/latchset/tang/commit/e82459fda10f0630c3414ed2afbc6320bb9ea7c9 Patch,Third Party Advisory
https://github.com/latchset/tang/pull/81 Issue Tracking,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-4076, you might also want to check these: