Go modules package
github.com/lf-edge/eve
pkg:golang/github.com/lf-edge/eve
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-43637 | — | < 0.0.0-20220310190112-c0c966dc31e2 | 0.0.0-20220310190112-c0c966dc31e2 | Sep 21, 2023 | Due to the implementation of "deriveVaultKey", prior to version 7.10, the generated vault key would always have the last 16 bytes predetermined to be "arfoobarfoobarfo". This issue happens because "deriveVaultKey" calls "retrieveCloudKey" (which will always return "foobarfoobar | ||
| CVE-2023-43631 | — | < 0.0.0-20220708121648-5fef4d92e758 | 0.0.0-20220708121648-5fef4d92e758 | Sep 21, 2023 | On boot, the Pillar eve container checks for the existence and content of “/config/authorized_keys”. If the file is present, and contains a supported public key, the container will go on to open port 22 and enable sshd with the given keys as the authorized keys for root login. | ||
| CVE-2023-43632 | — | < 0.0.0-20230519072751-977f42b07fa9 | 0.0.0-20230519072751-977f42b07fa9 | Sep 21, 2023 | As noted in the “VTPM.md” file in the eve documentation, “VTPM is a server listening on port 8877 in EVE, exposing limited functionality of the TPM to the clients. VTPM allows clients to execute tpm2-tools binaries from a list of hardcoded options” The communication with this s | ||
| CVE-2023-43633 | — | < 0.0.0-20220708121648-5fef4d92e758 | 0.0.0-20220708121648-5fef4d92e758 | Sep 21, 2023 | On boot, the Pillar eve container checks for the existence and content of “/config/GlobalConfig/global.json”. If the file exists, it overrides the existing configuration on the device on boot. This allows an attacker to change the system’s configuration, which also includes so | ||
| CVE-2023-43634 | — | < 0.0.0-20230519072751-977f42b07fa9 | 0.0.0-20230519072751-977f42b07fa9 | Sep 21, 2023 | When sealing/unsealing the “vault” key, a list of PCRs is used, which defines which PCRs are used. In a previous project, CYMOTIVE found that the configuration is not protected by the secure boot, and in response Zededa implemented measurements on the config partition that was | ||
| CVE-2023-43635 | — | < 0.0.0-20230519072751-977f42b07fa9 | 0.0.0-20230519072751-977f42b07fa9 | Sep 20, 2023 | Vault Key Sealed With SHA1 PCRs The measured boot solution implemented in EVE OS leans on a PCR locking mechanism. Different parts of the system update different PCR values in the TPM, resulting in a unique value for each PCR entry. These PCRs are then used in order to s | ||
| CVE-2023-43630 | — | < 0.0.0-20230126065759-d9383a7ee4e1 | 0.0.0-20230126065759-d9383a7ee4e1 | Sep 20, 2023 | PCR14 is not in the list of PCRs that seal/unseal the “vault” key, but due to the change that was implemented in commit “7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4”, fixing this issue alone would not solve the problem of the config partition not being measured correctly. Also, the |
- CVE-2023-43637Sep 21, 2023affected < 0.0.0-20220310190112-c0c966dc31e2fixed 0.0.0-20220310190112-c0c966dc31e2
Due to the implementation of "deriveVaultKey", prior to version 7.10, the generated vault key would always have the last 16 bytes predetermined to be "arfoobarfoobarfo". This issue happens because "deriveVaultKey" calls "retrieveCloudKey" (which will always return "foobarfoobar
- CVE-2023-43631Sep 21, 2023affected < 0.0.0-20220708121648-5fef4d92e758fixed 0.0.0-20220708121648-5fef4d92e758
On boot, the Pillar eve container checks for the existence and content of “/config/authorized_keys”. If the file is present, and contains a supported public key, the container will go on to open port 22 and enable sshd with the given keys as the authorized keys for root login.
- CVE-2023-43632Sep 21, 2023affected < 0.0.0-20230519072751-977f42b07fa9fixed 0.0.0-20230519072751-977f42b07fa9
As noted in the “VTPM.md” file in the eve documentation, “VTPM is a server listening on port 8877 in EVE, exposing limited functionality of the TPM to the clients. VTPM allows clients to execute tpm2-tools binaries from a list of hardcoded options” The communication with this s
- CVE-2023-43633Sep 21, 2023affected < 0.0.0-20220708121648-5fef4d92e758fixed 0.0.0-20220708121648-5fef4d92e758
On boot, the Pillar eve container checks for the existence and content of “/config/GlobalConfig/global.json”. If the file exists, it overrides the existing configuration on the device on boot. This allows an attacker to change the system’s configuration, which also includes so
- CVE-2023-43634Sep 21, 2023affected < 0.0.0-20230519072751-977f42b07fa9fixed 0.0.0-20230519072751-977f42b07fa9
When sealing/unsealing the “vault” key, a list of PCRs is used, which defines which PCRs are used. In a previous project, CYMOTIVE found that the configuration is not protected by the secure boot, and in response Zededa implemented measurements on the config partition that was
- CVE-2023-43635Sep 20, 2023affected < 0.0.0-20230519072751-977f42b07fa9fixed 0.0.0-20230519072751-977f42b07fa9
Vault Key Sealed With SHA1 PCRs The measured boot solution implemented in EVE OS leans on a PCR locking mechanism. Different parts of the system update different PCR values in the TPM, resulting in a unique value for each PCR entry. These PCRs are then used in order to s
- CVE-2023-43630Sep 20, 2023affected < 0.0.0-20230126065759-d9383a7ee4e1fixed 0.0.0-20230126065759-d9383a7ee4e1
PCR14 is not in the list of PCRs that seal/unseal the “vault” key, but due to the change that was implemented in commit “7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4”, fixing this issue alone would not solve the problem of the config partition not being measured correctly. Also, the