Vulnerability Name:

CVE-2022-23645 (CCN-219961)

Assigned:2022-02-18
Published:2022-02-18
Updated:2022-03-07
Summary:swtpm is a libtpms-based TPM emulator with socket, character device, and Linux CUSE interface. Versions prior to 0.5.3, 0.6.2, and 0.7.1 are vulnerable to out-of-bounds read. A specially crafted header of swtpm's state, where the blobheader's hdrsize indicator has an invalid value, may cause an out-of-bounds access when the byte array representing the state of the TPM is accessed. This will likely crash swtpm or prevent it from starting since the state cannot be understood. Users should upgrade to swtpm v0.5.3, v0.6.2, or v0.7.1 to receive a patch. There are currently no known workarounds.
CVSS v3 Severity:5.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
4.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
6.2 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
5.4 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
5.5 Medium (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
4.8 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:2.1 Low (CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
4.9 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Type:CWE-125
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2022-23645

Source: XF
Type: UNKNOWN
swtpm-cve202223645-dos(219961)

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/stefanberger/swtpm/commit/9f740868fc36761de27df3935513bdebf8852d19

Source: MISC
Type: Release Notes, Third Party Advisory
https://github.com/stefanberger/swtpm/releases/tag/v0.5.3

Source: MISC
Type: Release Notes, Third Party Advisory
https://github.com/stefanberger/swtpm/releases/tag/v0.6.2

Source: MISC
Type: Release Notes, Third Party Advisory
https://github.com/stefanberger/swtpm/releases/tag/v0.7.1

Source: CCN
Type: SWTPM GIT Repository
Out-of-bounds read in swtpm when a specially crafted header of swtpm's state is given

Source: CONFIRM
Type: Patch, Third Party Advisory
https://github.com/stefanberger/swtpm/security/advisories/GHSA-2qgm-8xf4-3hqw

Source: FEDORA
Type: Third Party Advisory
FEDORA-2022-12443a525c

Vulnerable Configuration:Configuration 1:
  • cpe:/a:swtpm_project:swtpm:*:*:*:*:*:*:*:* (Version < 0.5.3)
  • OR cpe:/a:swtpm_project:swtpm:*:*:*:*:*:*:*:* (Version >= 0.6.0 and < 0.6.2)
  • OR cpe:/a:swtpm_project:swtpm:0.7.0:-:*:*:*:*:*:*
  • OR cpe:/a:swtpm_project:swtpm:0.7.0:rc1:*:*:*:*:*:*
  • OR cpe:/a:swtpm_project:swtpm:0.7.0:rc2:*:*:*:*:*:*

    • Configuration 2:
  • cpe:/o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/o:fedoraproject:fedora:35:*:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

    • Configuration RedHat 3:
  • cpe:/a:redhat:enterprise_linux:8::crb:*:*:*:*:*

    • Configuration RedHat 4:
  • cpe:/a:redhat:enterprise_linux:9:*:*:*:*:*:*:*

    • Configuration RedHat 5:
  • cpe:/a:redhat:enterprise_linux:9::appstream:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.redhat.rhsa:def:20228100
    P
    		RHSA-2022:8100: swtpm security and bug fix update (Low)
    2022-11-15
    oval:com.redhat.rhsa:def:20227472
    P
    		RHSA-2022:7472: virt:rhel and virt-devel:rhel security, bug fix, and enhancement update (Low)
    2022-11-08
    oval:org.opensuse.security:def:3530
    P
    		jakarta-taglibs-standard-1.1.1-255.2 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:95160
    P
    		swtpm-0.5.3-150300.3.3.1 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:366
    P
    		swtpm-0.5.3-150300.3.3.1 on GA media (Moderate)
    2022-06-10
    oval:org.opensuse.security:def:102234
    P
    		Security update for swtpm (Low)
    2022-04-21
    oval:org.opensuse.security:def:1658
    P
    		Security update for swtpm (Low)
    2022-04-21
    oval:org.opensuse.security:def:42266
    P
    		Security update for swtpm (Low)
    2022-04-21
    BACK
    swtpm_project swtpm *
    swtpm_project swtpm *
    swtpm_project swtpm 0.7.0 -
    swtpm_project swtpm 0.7.0 rc1
    swtpm_project swtpm 0.7.0 rc2
    redhat enterprise linux 8.0
    fedoraproject fedora 35