CVE-2022-1053
📋 TL;DR
This vulnerability in Keylime allows an attacker to bypass TPM-based hardware attestation by using mismatched attestation key (AK) and endorsement key (EK) pairs. Attackers can present a real TPM's EK for initial validation but then use a software TPM's AK for integrity checks, breaking the entire chain of trust. This affects any system using Keylime for remote attestation without proper validation of registrar data consistency.
💻 Affected Systems
- Keylime
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
Keylime by Keylime
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of remote attestation system allowing attackers to spoof trusted hardware attestation, potentially enabling supply chain attacks, unauthorized access to secure systems, and bypassing hardware-based security controls.
Likely Case
Attacker gains ability to present untrusted systems as trusted hardware, potentially allowing unauthorized access to cloud infrastructure, container environments, or secure boot processes relying on Keylime attestation.
If Mitigated
With proper network segmentation and additional authentication layers, impact limited to specific attestation systems, though chain of trust remains broken for affected components.
🎯 Exploit Status
Exploitation requires ability to interact with Keylime agent registration process and access to both hardware and software TPM components. The advisory provides technical details but no public exploit code.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit bd5de712acdd77860e7dc58969181e16c7a8dc5d and later
Vendor Advisory: https://github.com/keylime/keylime/security/advisories/GHSA-jf66-3q76-h5p5
Restart Required: Yes
Instructions:
1. Update Keylime to version containing commit bd5de712acdd77860e7dc58969181e16c7a8dc5d or later. 2. Restart all Keylime services (verifier, registrar, tenant). 3. Re-register all agents with the updated system.
🔧 Temporary Workarounds
Disable agent auto-registration
linuxManually validate and register agents instead of using automatic registration to ensure proper AK/EK pair validation
🧯 If You Can't Patch
- Implement network segmentation to isolate Keylime components from untrusted networks
- Add additional authentication/authorization layers before granting access based on Keylime attestation results
🔍 How to Verify
Check if Vulnerable:
Check Keylime version: if using code before commit bd5de712acdd77860e7dc58969181e16c7a8dc5d, system is vulnerableCheck Version:
git log --oneline -1 (in Keylime source directory) or check package versionVerify Fix Applied:
Verify Keylime installation includes commit bd5de712acdd77860e7dc58969181e16c7a8dc5d and test agent registration with mismatched AK/EK pairs (should fail)📡 Detection & Monitoring
Log Indicators:
- Multiple registration attempts from same agent with different AK values
- Agent registration success without proper regcount validation
Network Indicators:
- Unusual TPM attestation traffic patterns
- Multiple AK presentations from single endpoint
SIEM Query:
source="keylime" AND ("agent registration" OR "attestation") AND (ak_changed OR regcount!=1)🔗 References
- https://bugzilla.redhat.com/show_bug.cgi?id=2065024%2C
- https://github.com/keylime/keylime/commit/bd5de712acdd77860e7dc58969181e16c7a8dc5d
- https://github.com/keylime/keylime/security/advisories/GHSA-jf66-3q76-h5p5%2C
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A7WAKVXM7L5D2DUACV6EHA6EJNAX2GVL/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RF6QHU4UGSBATC3HOOE7OP66CYVTR7CV/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WEW2PAXO5YGLDLPG45YV2OPLJXJSCECQ/
- https://bugzilla.redhat.com/show_bug.cgi?id=2065024%2C
- https://github.com/keylime/keylime/commit/bd5de712acdd77860e7dc58969181e16c7a8dc5d
- https://github.com/keylime/keylime/security/advisories/GHSA-jf66-3q76-h5p5%2C
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A7WAKVXM7L5D2DUACV6EHA6EJNAX2GVL/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RF6QHU4UGSBATC3HOOE7OP66CYVTR7CV/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WEW2PAXO5YGLDLPG45YV2OPLJXJSCECQ/
