VYPR

Go modules package

github.com/lf-edge/eve

pkg:golang/github.com/lf-edge/eve

Vulnerabilities (7)

  • CVE-2023-43637Sep 21, 2023
    affected < 0.0.0-20220310190112-c0c966dc31e2fixed 0.0.0-20220310190112-c0c966dc31e2

    Due to the implementation of "deriveVaultKey", prior to version 7.10, the generated vault key would always have the last 16 bytes predetermined to be "arfoobarfoobarfo". This issue happens because "deriveVaultKey" calls "retrieveCloudKey" (which will always return "foobarfoobar

  • CVE-2023-43631Sep 21, 2023
    affected < 0.0.0-20220708121648-5fef4d92e758fixed 0.0.0-20220708121648-5fef4d92e758

    On boot, the Pillar eve container checks for the existence and content of “/config/authorized_keys”. If the file is present, and contains a supported public key, the container will go on to open port 22 and enable sshd with the given keys as the authorized keys for root login.

  • CVE-2023-43632Sep 21, 2023
    affected < 0.0.0-20230519072751-977f42b07fa9fixed 0.0.0-20230519072751-977f42b07fa9

    As noted in the “VTPM.md” file in the eve documentation, “VTPM is a server listening on port 8877 in EVE, exposing limited functionality of the TPM to the clients. VTPM allows clients to execute tpm2-tools binaries from a list of hardcoded options” The communication with this s

  • CVE-2023-43633Sep 21, 2023
    affected < 0.0.0-20220708121648-5fef4d92e758fixed 0.0.0-20220708121648-5fef4d92e758

    On boot, the Pillar eve container checks for the existence and content of “/config/GlobalConfig/global.json”. If the file exists, it overrides the existing configuration on the device on boot. This allows an attacker to change the system’s configuration, which also includes so

  • CVE-2023-43634Sep 21, 2023
    affected < 0.0.0-20230519072751-977f42b07fa9fixed 0.0.0-20230519072751-977f42b07fa9

    When sealing/unsealing the “vault” key, a list of PCRs is used, which defines which PCRs are used. In a previous project, CYMOTIVE found that the configuration is not protected by the secure boot, and in response Zededa implemented measurements on the config partition that was

  • CVE-2023-43635Sep 20, 2023
    affected < 0.0.0-20230519072751-977f42b07fa9fixed 0.0.0-20230519072751-977f42b07fa9

    Vault Key Sealed With SHA1 PCRs The measured boot solution implemented in EVE OS leans on a PCR locking mechanism. Different parts of the system update different PCR values in the TPM, resulting in a unique value for each PCR entry. These PCRs are then used in order to s

  • CVE-2023-43630Sep 20, 2023
    affected < 0.0.0-20230126065759-d9383a7ee4e1fixed 0.0.0-20230126065759-d9383a7ee4e1

    PCR14 is not in the list of PCRs that seal/unseal the “vault” key, but due to the change that was implemented in commit “7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4”, fixing this issue alone would not solve the problem of the config partition not being measured correctly. Also, the