CVE-2023-38200
📋 TL;DR
This vulnerability in Keylime's registrar component allows remote attackers to cause a denial of service by exhausting all available SSL connections due to their blocking nature. It affects systems running vulnerable versions of Keylime, particularly those with internet-facing registrar services.
💻 Affected Systems
- Keylime
📦 What is this software?
Enterprise Linux For Ibm Z Systems by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems →
Enterprise Linux For Ibm Z Systems Eus by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems Eus →
Enterprise Linux For Power Little Endian by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian →
Enterprise Linux For Power Little Endian Eus by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian Eus →
Fedora by Fedoraproject
Keylime by Keylime
⚠️ Risk & Real-World Impact
Worst Case
Complete unavailability of Keylime registrar service, disrupting attestation and provisioning capabilities for managed systems.
Likely Case
Service degradation or temporary unavailability of the registrar component under attack.
If Mitigated
Minimal impact if connections are rate-limited or the service is not internet-facing.
🎯 Exploit Status
Simple connection exhaustion attack requiring no authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.5.0
Vendor Advisory: https://access.redhat.com/errata/RHSA-2023:5080
Restart Required: Yes
Instructions:
1. Update Keylime to version 7.5.0 or later. 2. Restart the Keylime registrar service. 3. Verify the service is running correctly.
🔧 Temporary Workarounds
Rate limit connections
linuxImplement connection rate limiting at network or application level
# Use iptables to limit connections per IP
iptables -A INPUT -p tcp --dport 8890 -m connlimit --connlimit-above 10 -j REJECT
Restrict network access
linuxLimit registrar access to trusted networks only
# Configure firewall to allow only specific IPs
iptables -A INPUT -p tcp --dport 8890 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 8890 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation and limit registrar access to required systems only
- Deploy a reverse proxy with connection limiting and DDoS protection capabilities
🔍 How to Verify
Check if Vulnerable:
Check Keylime version: keylime_verifier --version or rpm -q keylimeCheck Version:
keylime_verifier --version || rpm -q keylime || pip show keylimeVerify Fix Applied:
Verify version is 7.5.0 or later and test registrar connectivity under load📡 Detection & Monitoring
Log Indicators:
- High number of connection attempts in Keylime logs
- Error messages about connection limits or timeouts
Network Indicators:
- Unusual high volume of TCP connections to port 8890
- Multiple connection attempts from single IPs
SIEM Query:
source="keylime.log" AND ("connection refused" OR "too many connections" OR "timeout")🔗 References
- https://access.redhat.com/errata/RHSA-2023:5080
- https://access.redhat.com/security/cve/CVE-2023-38200
- https://bugzilla.redhat.com/show_bug.cgi?id=2222692
- https://github.com/keylime/keylime/pull/1421
- https://access.redhat.com/errata/RHSA-2023:5080
- https://access.redhat.com/security/cve/CVE-2023-38200
- https://bugzilla.redhat.com/show_bug.cgi?id=2222692
- https://github.com/keylime/keylime/pull/1421
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZIZZB5NHNCS5D2AEH3ZAO6OQC72IK7WS/
