CVE-2023-43635 – This vulnerability in EVE OS's measured boot me... (How to Fix)

Q: What is the severity of CVE-2023-43635?

CVE-2023-43635 has a CVSS score of 8.8 (HIGH). This vulnerability in EVE OS's measured boot mechanism allows attackers to bypass TPM-based encryption of the sensitive 'vault' directory. The system incorrectly seals encryption keys using insecure SHA1 PCRs instead of SHA256 PCRs, enabling unauthorized access to protected data. This affects systems running vulnerable versions of EVE OS with measured boot enabled.

📋 TL;DR

This vulnerability in EVE OS's measured boot mechanism allows attackers to bypass TPM-based encryption of the sensitive 'vault' directory. The system incorrectly seals encryption keys using insecure SHA1 PCRs instead of SHA256 PCRs, enabling unauthorized access to protected data. This affects systems running vulnerable versions of EVE OS with measured boot enabled.

💻 Affected Systems

Products:

EVE OS

Versions: Versions prior to fix (specific version unknown from provided data)

Operating Systems: EVE OS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems with measured boot mechanism enabled. Machines with SHA1 PCRs disabled may have completely unprotected vaults.

📦 What is this software?

Edge Virtualization Engine by Linuxfoundation

View all CVEs affecting Edge Virtualization Engine →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the encrypted vault directory, exposing all sensitive system data including credentials, certificates, and configuration secrets to attackers.

🟠

Likely Case

Unauthorized access to encrypted vault contents, potentially leading to credential theft, configuration tampering, and system compromise.

🟢

If Mitigated

Limited impact if vault contains minimal sensitive data or if additional encryption layers protect critical information.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires physical or administrative access to the system to interact with TPM and vault mechanisms.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown from provided references

Vendor Advisory: https://asrg.io/security-advisories/cve-2023-43635/

Restart Required: Yes

Instructions:

1. Check vendor advisory for patched version. 2. Update EVE OS to patched version. 3. Reboot system to apply changes. 4. Re-seal vault keys with SHA256 PCRs.

🔧 Temporary Workarounds

Disable measured boot

linux

Temporarily disable the measured boot mechanism to prevent use of vulnerable PCR sealing

Specific commands unavailable from provided data

Enable SHA256 PCRs

linux

Ensure SHA256 PCRs are enabled in TPM configuration

tpm2_pcrread sha256
tpm2_pcrextend

🧯 If You Can't Patch

Isolate affected systems from sensitive networks
Implement additional encryption layer for vault contents

🔍 How to Verify

Check if Vulnerable:

Check if vault keys are sealed with SHA1 PCRs instead of SHA256 PCRs in TPM configuration

Check Version:

eve-version or check OS version through vendor tools

Verify Fix Applied:

Verify vault keys are now sealed using SHA256 PCRs and cannot be unsealed with SHA1 PCRs

📡 Detection & Monitoring

Log Indicators:

Failed vault decryption attempts
TPM PCR extension events using SHA1

Network Indicators:

Unusual access patterns to vault directory

SIEM Query:

Search for TPM events with PCR operations using SHA1 algorithm

📊 Metadata

CVE ID: CVE-2023-43635

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-328

Published: September 20, 2023

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-43635, you might also want to check these: