CVE-2022-0317

An improper input validation vulnerability in go-attestation before 0.3.3 allows local users to provide a maliciously-formed Quote over no/some PCRs, causing AKPublic.Verify to succeed despite the inconsistency. Subsequent use of the same set of PCR values in Eventlog.Verify lacks the authentication performed by quote verification, meaning a local attacker could couple this vulnerability with a maliciously-crafted TCG log in Eventlog.Verify to spoof events in the TCG log, hence defeating remotely-attested measured-boot. We recommend upgrading to Version 0.4.0 or above.

CVSS v3 3.3 LOW
CVSS v2.0 2.1 LOW

3.3^/10

CVSS v3 : LOW

Vector :

Exploitability : 1.8 / Impact : 1.4

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

2.1^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://github.com/google/go-attestation/security/advisories/GHSA-99cg-575x-774p	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:google:go-attestation:*:*:*:*:*:*:*:*

History

09 Feb 2022, 18:14

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 2.1 v3 : 3.3
References	~~(MISC) https://github.com/google/go-attestation/security/advisories/GHSA-99cg-575x-774p -~~	(MISC) https://github.com/google/go-attestation/security/advisories/GHSA-99cg-575x-774p - Third Party Advisory
CWE		CWE-20
CPE		cpe:2.3:a:google:go-attestation::::::::

04 Feb 2022, 23:28

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-02-04 23:15

Updated : 2024-02-04 22:08

NVD link : CVE-2022-0317

Mitre link : CVE-2022-0317

CVE.ORG link : CVE-2022-0317

JSON object : View

Products Affected

google

go-attestation

CWE

CWE-20

Improper Input Validation

{"id": "CVE-2022-0317", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "cve-coordination@google.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.0, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.5}]}, "published": "2022-02-04T23:15:12.510", "references": [{"url": "https://github.com/google/go-attestation/security/advisories/GHSA-99cg-575x-774p", "tags": ["Third Party Advisory"], "source": "cve-coordination@google.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-20"}]}, {"type": "Secondary", "source": "cve-coordination@google.com", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "An improper input validation vulnerability in go-attestation before 0.3.3 allows local users to provide a maliciously-formed Quote over no/some PCRs, causing AKPublic.Verify to succeed despite the inconsistency. Subsequent use of the same set of PCR values in Eventlog.Verify lacks the authentication performed by quote verification, meaning a local attacker could couple this vulnerability with a maliciously-crafted TCG log in Eventlog.Verify to spoof events in the TCG log, hence defeating remotely-attested measured-boot. We recommend upgrading to Version 0.4.0 or above."}, {"lang": "es", "value": "Una vulnerabilidad de Comprobaci\u00f3n de Entrada Inapropiada en go-attestation versiones anteriores a 0.3.3, permite a usuarios locales proporcionar una cita con forma maliciosa sobre no/algunas PCR, causando que AKPublic.Verify tenga \u00e9xito a pesar de la inconsistencia. El uso posterior del mismo conjunto de valores de PCR en Eventlog.Verify carece de la autenticaci\u00f3n llevada a cabo por la verificaci\u00f3n de citas, lo que significa que un atacante local podr\u00eda acoplar esta vulnerabilidad con un registro TCG dise\u00f1ado de forma maliciosa en Eventlog.Verify para falsificar eventos en el registro TCG, derrotando as\u00ed el arranque medido comprobado de forma remota. Recomendamos actualizar a la versi\u00f3n 0.4.0 o superior"}], "lastModified": "2022-02-09T18:14:02.887", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:google:go-attestation:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E662172D-83A5-40CD-8EB7-44ED2E93ABD7", "versionEndExcluding": "0.3.3"}], "operator": "OR"}]}], "sourceIdentifier": "cve-coordination@google.com"}