Keylime: challenge-response protocol bypass during agent registration
Description
A flaw was found in the Keylime registrar that could allow a bypass of the challenge-response protocol during agent registration. This issue may allow an attacker to impersonate an agent and hide the true status of a monitored machine if the fake agent is added to the verifier list by a legitimate user, resulting in a breach of the integrity of the registrar database.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Keylime registrar vulnerability allows challenge-response bypass during agent registration, enabling impersonation and integrity breach.
Vulnerability
Details
CVE-2023-38201 is a flaw in the Keylime registrar component that allows an attacker to bypass the challenge-response protocol during agent registration [1][2]. This bypass can be used to impersonate a legitimate agent, potentially hiding the true integrity status of a monitored machine [2].
Exploitation
Prerequisites
Exploitation requires network access to the registrar service. The attacker can register a fake agent, and if that agent is added to the verifier's list by a legitimate user, the attacker can disguise the actual state of the target machine [2]. Keylime consists of a verifier, registrar, and agent; the registrar acts as a database for agent public keys [3].
Impact
Successful exploitation leads to a breach of the registrar database integrity, allowing an attacker to hide the actual trust status of a remote machine [1][2]. This undermines the attestation process and could allow compromised machines to evade detection.
Mitigation
The vulnerability is fixed in Keylime version 6.5.2-6.el9_2 as part of Red Hat Security Advisory RHSA-2023:5080 [1]. Users should update to this patched version or later to mitigate the risk.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
keylimePyPI | < 7.5.0 | 7.5.0 |
Affected products
13- Red Hat/Red Hat Enterprise Linux 9v5cpe:/a:redhat:enterprise_linux:9::appstreamRange: 0:6.5.2-6.el9_2
- ghsa-coords12 versionspkg:pypi/keylimepkg:rpm/almalinux/keylimepkg:rpm/almalinux/keylime-basepkg:rpm/almalinux/keylime-registrarpkg:rpm/almalinux/keylime-selinuxpkg:rpm/almalinux/keylime-tenantpkg:rpm/almalinux/keylime-verifierpkg:rpm/almalinux/python3-keylimepkg:rpm/opensuse/keylime&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/keylime&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/keylime&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/keylime&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5
< 7.5.0+ 11 more
- (no CPE)range: < 7.5.0
- (no CPE)range: < 6.5.2-6.el9_2.alma.1
- (no CPE)range: < 6.5.2-6.el9_2.alma.1
- (no CPE)range: < 6.5.2-6.el9_2.alma.1
- (no CPE)range: < 6.5.2-6.el9_2.alma.1
- (no CPE)range: < 6.5.2-6.el9_2.alma.1
- (no CPE)range: < 6.5.2-6.el9_2.alma.1
- (no CPE)range: < 6.5.2-6.el9_2.alma.1
- (no CPE)range: < 6.3.2-150400.4.20.1
- (no CPE)range: < 6.3.2-150400.4.20.1
- (no CPE)range: < 6.3.2-150400.4.20.1
- (no CPE)range: < 6.3.2-150400.4.20.1
Patches
19e5ac9f25cd4Fix for CVE-2023-38201 (Security Advisory GHSA-f4r5-q63f-gcww)
1 file changed · +13 −2
keylime/registrar_common.py+13 −2 modified@@ -250,7 +250,9 @@ def get_network_params( try: port = int(port) if port < 1 or port > 65535: - logger.warning("Contact port for agent %s is not a number between 1 and got: %s.", agent_id, port) + logger.warning( + "Contact port for agent %s is not a number between 1 and 65535 got: %s.", agent_id, port + ) port = None except ValueError: logger.warning("Contact port for agent %s is not a valid number got: %s.", agent_id, port) @@ -447,7 +449,16 @@ def do_PUT(self) -> None: logger.error("SQLAlchemy Error: %s", e) raise else: - raise Exception(f"Auth tag {auth_tag} does not match expected value {ex_mac}") + if agent_id and session.query(RegistrarMain).filter_by(agent_id=agent_id).delete(): + try: + session.commit() + except SQLAlchemyError as e: + logger.error("SQLAlchemy Error: %s", e) + raise + + raise Exception( + f"Auth tag {auth_tag} for agent {agent_id} does not match expected value. The agent has been deleted from database, and a restart of it will be required" + ) web_util.echo_json_response(self, 200, "Success") logger.info("PUT activated: %s", agent_id)
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- access.redhat.com/errata/RHSA-2023:5080ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-f4r5-q63f-gcwwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-38201ghsaADVISORY
- access.redhat.com/security/cve/CVE-2023-38201ghsavdb-entryx_refsource_REDHATWEB
- bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
- github.com/keylime/keylime/commit/9e5ac9f25cd400b16d5969f531cee28290543f2aghsaWEB
- github.com/keylime/keylime/security/advisories/GHSA-f4r5-q63f-gcwwghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/keylime/PYSEC-2023-160.yamlghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZIZZB5NHNCS5D2AEH3ZAO6OQC72IK7WSghsaWEB
News mentions
0No linked articles in our index yet.