CVE-2021-3406
Published: 25 February 2021
Summary
CVE-2021-3406 is a critical-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Keylime Keylime. Its CVSS base score is 9.8 (Critical).
Operationally, ranked at the 27.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-26734
Vulnerability details
A flaw was found in keylime 5.8.1 and older. The issue in the Keylime agent and registrar code invalidates the cryptographic chain of trust from the Endorsement Key certificate to agent attestations.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Component authenticity commonly depends on cryptographic signatures; the control enforces proper verification of those signatures.
Mandates approved trust anchors and issuance policies, directly preventing acceptance of unvalidated or untrusted certificates.
Requires verification of digital signatures using organization-approved certificates before installation, directly preventing improper verification of cryptographic signatures.
Requires cryptographic signatures on authoritative data and support for verifying the chain of trust.
Mandates verification of cryptographic signatures (e.g., DNSSEC RRSIG) on resolution responses, addressing missing or bypassed signature checks.
Correct system time is required for proper enforcement of certificate notBefore/notAfter dates and time-based revocation checks.
Integrity tools commonly rely on cryptographic signatures whose improper validation this weakness covers.
Authenticity validation commonly relies on cryptographic signature or certificate checks that this control enforces.