CVE-2021-3565

Published: 04/06/2021 Updated: 07/11/2023

CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6

CVSS v3 Base Score: 5.9 | Impact Score: 3.6 | Exploitability Score: 2.2

VMScore: 383

Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

A flaw was found in tpm2-tools in versions prior to 5.1.1 and prior to 4.3.2. tpm2_import used a fixed AES key for the inner wrapper, potentially allowing a MITM malicious user to unwrap the inner portion and reveal the key being imported. The highest threat from this vulnerability is to data confidentiality.

Vulnerable Product	Search on Vulmon	Subscribe to Product
tpm2-tools project tpm2-tools
redhat enterprise linux 8.0
fedoraproject fedora 33
fedoraproject fedora 34

Debian Bug report logs - #989148 tpm2-tools: CVE-2021-3565 Package: src:tpm2-tools; Maintainer for src:tpm2-tools is Ying-Chun Liu (PaulLiu) <paulliu@debianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 26 May 2021 20:09:02 UTC Severity: important Tags: security, upstream Found in version tp ...

No description is available for this CVE ...

During the tpm2_import command invocation a fixed AES wrapping key is used This presents a weakness in that, when no encrypted session with the TPM is used, the encrypted inner wrapper key is known and thus an entity performing a man-in-the-middle (MITM) attack on the TPM would be able to unwrap the inner portion and reveal the key being imported ...

CWE-798 https://bugzilla.redhat.com/show_bug.cgi?id=1964427 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ESY6HRYUKR5ZG2K5QAJQC5S6HMKZMFK7/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XK5M7I66PBXSN663TSLAZ3V6TWWFCV7C/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989148 https://nvd.nist.gov https://access.redhat.com/security/cve/cve-2021-3565

CVE-2021-3565

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect