Arch Linux alert ASA-202106-55 (tpm2-tools)
| From: | Jonas Witschel via arch-security <arch-security@lists.archlinux.org> | |
| To: | arch-security@lists.archlinux.org | |
| Subject: | [ASA-202106-55] tpm2-tools: man-in-the-middle | |
| Date: | Thu, 24 Jun 2021 18:20:44 +0200 | |
| Message-ID: | <20210624162044.reqrezp4ti6rraoj@archlinux.org> | |
| Cc: | Jonas Witschel <diabonas@archlinux.org> |
Arch Linux Security Advisory ASA-202106-55 ========================================== Severity: Low Date : 2021-06-22 CVE-ID : CVE-2021-3565 Package : tpm2-tools Type : man-in-the-middle Remote : No Link : https://security.archlinux.org/AVG-1986 Summary ======= The package tpm2-tools before version 5.1.1-1 is vulnerable to man-in- the-middle. Resolution ========== Upgrade to 5.1.1-1. # pacman -Syu "tpm2-tools>=5.1.1-1" The problem has been fixed upstream in version 5.1.1. Workaround ========== None. Description =========== A security issue was found in tpm2-tools before version 5.1.1. tpm2_import used a fixed AES key for the inner wrapper, potentially allowing a man-in-the-middle (MITM) attacker to unwrap the inner portion and reveal the key being imported. Impact ====== A local attacker could disclose the secret portion of a key while it is being imported into the TPM. References ========== https://bugzilla.redhat.com/show_bug.cgi?id=1964427 https://github.com/tpm2-software/tpm2-tools/issues/2738 https://github.com/tpm2-software/tpm2-tools/pull/2739 https://github.com/tpm2-software/tpm2-tools/commit/47b3b6... https://security.archlinux.org/CVE-2021-3565