Cyber Resilience

CVE-2023-43634

High

Published: 21 September 2023

Published
21 September 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0003 9.2th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-43634 is a high-severity Insufficiently Protected Credentials (CWE-522) vulnerability in Lfedge Eve. Its CVSS base score is 8.8 (High).

Operationally, ranked at the 9.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

When sealing/unsealing the “vault” key, a list of PCRs is used, which defines which PCRs are used. In a previous project, CYMOTIVE found that the configuration is not protected by the secure boot, and in response Zededa implemented measurements on…

more

the config partition that was mapped to PCR 13. In that process, PCR 13 was added to the list of PCRs that seal/unseal the key. In commit “56e589749c6ff58ded862d39535d43253b249acf”, the config partition measurement moved from PCR 13 to PCR 14, but PCR 14 was not added to the list of PCRs that seal/unseal the key. This change makes the measurement of PCR 14 effectively redundant as it would not affect the sealing/unsealing of the key. An attacker could modify the config partition without triggering the measured boot, this could result in the attacker gaining full control over the device with full access to the contents of the encrypted “vault”

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

lfedge
eve
≤ 8.6.0 · 9.0.0 — 9.5.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-522 CWE-922

Requiring confidentiality/integrity protection for stored credentials directly mitigates insufficiently protected credentials on disk or in configuration stores.

addresses: CWE-522

Training instructs users on protecting credentials from disclosure or unauthorized access.

addresses: CWE-522

Training records for security awareness and role-based training verify education on credential protection practices, tangibly reducing risks from mishandling or exposing credentials.

addresses: CWE-922

Tracking information locations and access supports secure storage practices instead of insecure ones.

addresses: CWE-922

Establishing an alternate site with equivalent protections directly mitigates insecure storage of sensitive backup information.

addresses: CWE-922

Requiring protection of backup information directly addresses insecure storage of sensitive data in backups.

addresses: CWE-522

Protecting authenticator content from unauthorized disclosure and modification while requiring protective controls addresses insufficiently protected credentials.

addresses: CWE-522

Rules of behavior include credential protection and non-sharing requirements, reducing exposure of insufficiently protected credentials.

References