CVE-2023-43633

{"id": "CVE-2023-43633", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.0}, {"type": "Secondary", "source": "cve@asrg.io", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.0}]}, "published": "2023-09-21T14:15:11.330", "references": [{"url": "https://asrg.io/security-advisories/cve-2023-43633/", "tags": ["Third Party Advisory"], "source": "cve@asrg.io"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-522"}]}, {"type": "Secondary", "source": "cve@asrg.io", "description": [{"lang": "en", "value": "CWE-522"}, {"lang": "en", "value": "CWE-922"}]}], "descriptions": [{"lang": "en", "value": "\nOn boot, the Pillar eve container checks for the existence and content of\n\u201c/config/GlobalConfig/global.json\u201d.\n\nIf the file exists, it overrides the existing configuration on the device on boot.\n\nThis allows an attacker to change the system\u2019s configuration, which also includes some\ndebug functions.\n\nThis could be used to unlock the ssh with custom \u201cauthorized_keys\u201d via the\n\u201cdebug.enable.ssh\u201d key, similar to the \u201cauthorized_keys\u201d finding that was noted before.\n\nOther usages include unlocking the usb to enable the keyboard via the \u201cdebug.enable.usb\u201d\nkey, allowing VNC access via the \u201capp.allow.vnc\u201d key, and more.\n\nAn attacker could easily enable these debug functionalities without triggering the \u201cmeasured\nboot\u201d mechanism implemented by EVE OS, and without marking the device as \u201cUUD\u201d\n(\u201cUnknown Update Detected\u201d).\nThis is because the \u201c/config\u201d partition is not protected by \u201cmeasured boot\u201d, it is mutable and it\nis not encrypted in any way.\n\n\n\n\n\nAn attacker can gain full control over the device without changing the PCR values, thereby not\ntriggering the \u201cmeasured boot\u201d mechanism, and having full access to the vault.\n\n\n\n\nNote:\n\nThis issue was partially fixed in these commits (after disclosure to Zededa), where the config\npartition measurement was added to PCR13:\n\n\u2022 aa3501d6c57206ced222c33aea15a9169d629141\n\n\u2022 5fef4d92e75838cc78010edaed5247dfbdae1889.\n\nThis issue was made viable in version 9.0.0 when the calculation was moved to PCR14 but it was not included in the measured boot."}, {"lang": "es", "value": "Al arrancar, el contenedor Pillar eve comprueba la existencia y el contenido de \u201c/config/GlobalConfig/global.json\u201d. Si el archivo existe, anula la configuraci\u00f3n existente en el dispositivo al arrancar. Esto permite a un atacante cambiar la configuraci\u00f3n del sistema, que tambi\u00e9n incluye algunas funciones de depuraci\u00f3n. Esto podr\u00eda usarse para desbloquear el ssh con \u201cclaves_autorizadas\u201d personalizadas a trav\u00e9s de la clave \u201cdebug.enable.ssh\u201d, similar al hallazgo de \u201cclaves_autorizadas\u201d que se se\u00f1al\u00f3 anteriormente. Otros usos incluyen desbloquear el USB para habilitar el teclado mediante la tecla \"\"debug.enable.usb\"\", permitir el acceso a VNC mediante la tecla \"\"app.allow.vnc\"\" y m\u00e1s. Un atacante podr\u00eda habilitar f\u00e1cilmente estas funcionalidades de depuraci\u00f3n sin activar el mecanismo de \"\"measured boot\"\" implementado por EVE OS y sin marcar el dispositivo como \"\"UUD\"\" (\"\"Actualizaci\u00f3n desconocida detectada\"\"). Esto se debe a que la partici\u00f3n \u201c/config\u201d no est\u00e1 protegida por \u201cmeasured boot\u201d, es mutable y no est\u00e1 cifrada de ninguna manera. Un atacante puede obtener control total sobre el dispositivo sin cambiar los valores de PCR, por lo que no activar\u00e1 el mecanismo de \"\"measured boot\"\" y tendr\u00e1 acceso completo a \"\"vault\"\". Nota: Este problema se solucion\u00f3 parcialmente en estos commits (despu\u00e9s de la divulgaci\u00f3n a Zededa), donde la medici\u00f3n de la partici\u00f3n de configuraci\u00f3n se agreg\u00f3 a PCR13: \n\u2022 aa3501d6c57206ced222c33aea15a9169d629141 \n\u2022 5fef4d92e75838cc78010edaed5247dfbdae1889. \nEste problema se hizo viable en la versi\u00f3n 9.0.0 cuando el c\u00e1lculo se traslad\u00f3 a PCR14, pero no se incluy\u00f3 en el \"\"measured boot\"\"."}], "lastModified": "2023-10-16T19:30:32.823", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:lfedge:eve:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "95D311A8-5FBD-49AF-AD11-8B78420BAEAE", "versionEndExcluding": "8.6.0"}, {"criteria": "cpe:2.3:o:lfedge:eve:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A3648A14-186C-4E6A-AA73-7D2F5C78019D", "versionEndExcluding": "9.5.0", "versionStartIncluding": "9.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@asrg.io"}