Keylime: registrar is subject to a dos against ssl connections
Description
A flaw was found in Keylime. Due to their blocking nature, the Keylime registrar is subject to a remote denial of service against its SSL connections. This flaw allows an attacker to exhaust all available connections.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Keylime registrar is vulnerable to remote denial of service via exhausting SSL connections due to blocking connection handling.
Vulnerability
A flaw in Keylime's registrar component causes it to accept SSL connections in a blocking manner, allowing an attacker to exhaust all available connections by initiating multiple handshakes without completing them [1][2]. This leads to a denial of service (DoS) condition.
Exploitation
An unauthenticated attacker can exploit this remotely by sending a high volume of SSL connection requests to the registrar, which will hold the connections open until resources are depleted. No special privileges or network position are required [1].
Impact
Successful exploitation prevents legitimate clients from registering with the Keylime system, disrupting remote attestation and trust bootstrapping functionalities [4].
Mitigation
Red Hat has acknowledged the issue (CVE-2023-38200) and it is tracked in Bugzilla [4]. As of the advisory, no patch is available; users should monitor the Keylime project [3] for updates and apply them when released.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
keylimePyPI | < 7.4.0 | 7.4.0 |
Affected products
13- Red Hat/Red Hat Enterprise Linux 9v5cpe:/a:redhat:enterprise_linux:9::appstreamRange: 0:6.5.2-6.el9_2
- ghsa-coords12 versionspkg:pypi/keylimepkg:rpm/almalinux/keylimepkg:rpm/almalinux/keylime-basepkg:rpm/almalinux/keylime-registrarpkg:rpm/almalinux/keylime-selinuxpkg:rpm/almalinux/keylime-tenantpkg:rpm/almalinux/keylime-verifierpkg:rpm/almalinux/python3-keylimepkg:rpm/opensuse/keylime&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/keylime&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/keylime&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/keylime&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5
< 7.4.0+ 11 more
- (no CPE)range: < 7.4.0
- (no CPE)range: < 6.5.2-6.el9_2.alma.1
- (no CPE)range: < 6.5.2-6.el9_2.alma.1
- (no CPE)range: < 6.5.2-6.el9_2.alma.1
- (no CPE)range: < 6.5.2-6.el9_2.alma.1
- (no CPE)range: < 6.5.2-6.el9_2.alma.1
- (no CPE)range: < 6.5.2-6.el9_2.alma.1
- (no CPE)range: < 6.5.2-6.el9_2.alma.1
- (no CPE)range: < 6.3.2-150400.4.17.1
- (no CPE)range: < 6.3.2-150400.4.17.1
- (no CPE)range: < 6.3.2-150400.4.17.1
- (no CPE)range: < 6.3.2-150400.4.17.1
Patches
1c68d8f0b7ea5Extend Registrar SSL socket to be non-blocking
1 file changed · +20 −1
keylime/registrar_common.py+20 −1 modified@@ -4,6 +4,7 @@ import os import signal import socket +import ssl import sys import threading from http.server import BaseHTTPRequestHandler, HTTPServer @@ -77,6 +78,24 @@ def _validate_input( class ProtectedHandler(BaseHandler): + def handle(self) -> None: + """ Need to perform SSL handshake here, as do_handshake_on_connect=False for non-blocking SSL socket """ + while True: + try: + self.request.do_handshake() + break + except ssl.SSLWantReadError: + select.select([sock], [], []) + except ssl.SSLWantWriteError: + select.select([], [sock], []) + except ssl.SSLError as e: + logger.error("SSL connection error: %s", e) + return + except Exception as e: + logger.error("General communication failure: %s", e) + return + BaseHTTPRequestHandler.handle(self) + def do_HEAD(self) -> None: """HEAD not supported""" web_util.echo_json_response(self, 405, "HEAD not supported") @@ -483,7 +502,7 @@ def start(host: str, tlsport: int, port: int) -> None: protected_server = RegistrarServer((host, tlsport), ProtectedHandler) context = web_util.init_mtls("registrar", logger=logger) if context is not None: - protected_server.socket = context.wrap_socket(protected_server.socket, server_side=True) + protected_server.socket = context.wrap_socket(protected_server.socket, server_side=True, do_handshake_on_connect=False) thread_protected_server = threading.Thread(target=protected_server.serve_forever) # Set up the unprotected registrar server
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- access.redhat.com/errata/RHSA-2023:5080mitrevendor-advisoryx_refsource_REDHAT
- github.com/advisories/GHSA-pg75-v6fp-8q59ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-38200ghsaADVISORY
- access.redhat.com/security/cve/CVE-2023-38200ghsavdb-entryx_refsource_REDHATWEB
- bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
- github.com/keylime/keylime/commit/c68d8f0b7ea549c12b6956ab0f3c28ae0360ae17ghsaWEB
- github.com/keylime/keylime/pull/1421ghsaWEB
- github.com/keylime/keylime/releases/tag/v7.4.0ghsaWEB
- github.com/keylime/keylime/security/advisories/GHSA-pg75-v6fp-8q59ghsaWEB
News mentions
0No linked articles in our index yet.