Cyber Resilience

CVE-2021-3406

Critical

Published: 25 February 2021

Published
25 February 2021
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0010 27.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-3406 is a critical-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Keylime Keylime. Its CVSS base score is 9.8 (Critical).

Operationally, ranked at the 27.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

A flaw was found in keylime 5.8.1 and older. The issue in the Keylime agent and registrar code invalidates the cryptographic chain of trust from the Endorsement Key certificate to agent attestations.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

keylime
keylime
≤ 5.8.1
fedoraproject
fedora
34

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-347 CWE-295

Component authenticity commonly depends on cryptographic signatures; the control enforces proper verification of those signatures.

addresses: CWE-295 CWE-347

Mandates approved trust anchors and issuance policies, directly preventing acceptance of unvalidated or untrusted certificates.

addresses: CWE-347

Requires verification of digital signatures using organization-approved certificates before installation, directly preventing improper verification of cryptographic signatures.

addresses: CWE-347

Requires cryptographic signatures on authoritative data and support for verifying the chain of trust.

addresses: CWE-347

Mandates verification of cryptographic signatures (e.g., DNSSEC RRSIG) on resolution responses, addressing missing or bypassed signature checks.

addresses: CWE-295

Correct system time is required for proper enforcement of certificate notBefore/notAfter dates and time-based revocation checks.

addresses: CWE-347

Integrity tools commonly rely on cryptographic signatures whose improper validation this weakness covers.

addresses: CWE-347

Authenticity validation commonly relies on cryptographic signature or certificate checks that this control enforces.

References