CVE-2025-1057
📋 TL;DR
A type compatibility issue in Keylime versions 7.12.0 prevents the registrar from reading agent registration data stored by older versions (like 7.11.0), causing agent registration failures. This affects systems running Keylime 7.12.0 that have existing agent registrations from previous versions. The vulnerability disrupts remote attestation functionality but doesn't allow unauthorized access.
💻 Affected Systems
- Keylime
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete disruption of remote attestation services, preventing new agents from registering and potentially breaking existing attestation workflows, leading to security monitoring gaps.
Likely Case
Agent registration failures when upgrading from Keylime 7.11.0 (or earlier) to 7.12.0, requiring manual intervention to restore functionality.
If Mitigated
Minimal impact if systems are upgraded cleanly without preserving old database entries, or if workarounds are applied before upgrade.
🎯 Exploit Status
This is a compatibility bug, not an exploit. The 'exploitation' occurs naturally when upgrading without proper migration procedures.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 7.12.1 or later
Vendor Advisory: https://access.redhat.com/security/cve/CVE-2025-1057
Restart Required: Yes
Instructions:
1. Backup your Keylime database. 2. Upgrade to Keylime 7.12.1 or later using your package manager. 3. Restart the registrar service. 4. Verify agent registrations are functioning properly.
🔧 Temporary Workarounds
Database migration before upgrade
linuxConvert existing agent registration data from bytes to string format before upgrading to 7.12.0
# Backup database first
# Use Keylime migration tools if available
# Consult Keylime documentation for specific migration steps
Clean database reinitialization
linuxClear existing agent registrations and re-register all agents after upgrade
sudo systemctl stop keylime_registrar
sudo rm -f /var/lib/keylime/registrar.sqlite
sudo systemctl start keylime_registrar
# Re-register all agents
🧯 If You Can't Patch
- Do not upgrade to Keylime 7.12.0; remain on 7.11.0 or earlier until you can apply proper migration procedures
- Implement manual agent re-registration procedures if already upgraded to 7.12.0
🔍 How to Verify
Check if Vulnerable:
Check if Keylime version is 7.12.0 AND you have existing agent registrations from previous versions. Check registrar logs for type conversion errors.Check Version:
keylime_verifier --version 2>/dev/null | head -1 || keylime_agent --version 2>/dev/null | head -1 || rpm -q keylime || dpkg -l | grep keylimeVerify Fix Applied:
After upgrading to 7.12.1+, verify that agent registration requests succeed and no type conversion errors appear in logs.📡 Detection & Monitoring
Log Indicators:
- TypeError: expected str, bytes-like object found
- Agent registration failed due to type mismatch
- Registrar throwing exceptions during agent processing
Network Indicators:
- Failed agent registration requests to registrar port 8890/8891
- Increased failed connection attempts from agents
SIEM Query:
source="keylime_registrar.log" AND ("TypeError" OR "type mismatch" OR "registration failed")