Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2023:5080: Red Hat Security Advisory: keylime security update

An update for keylime is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2023-38200: A flaw was found in Keylime. Due to their blocking nature, the Keylime registrar is subject to a remote denial of service against its SSL connections. This flaw allows an attacker to exhaust all available connections.
  • CVE-2023-38201: A flaw was found in the Keylime registrar that could allow a bypass of the challenge-response protocol during agent registration. This issue may allow an attacker to impersonate an agent and hide the true status of a monitored machine if the fake agent is added to the verifier list by a legitimate user, resulting in a breach of the integrity of the registrar database.
Red Hat Security Data
#vulnerability#mac#linux#red_hat#dos#git#ibm#sap#ssl

Synopsis

Moderate: keylime security update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for keylime is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Keylime is a TPM based highly scalable remote boot attestation and runtime integrity measurement solution.

Security Fix(es):

  • keylime: registrar is subject to a DoS against SSL connections (CVE-2023-38200)
  • Keylime: challenge-response protocol bypass during agent registration (CVE-2023-38201)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Affected Products

  • Red Hat Enterprise Linux for x86_64 9 x86_64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.2 x86_64
  • Red Hat Enterprise Linux Server - AUS 9.2 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 9 s390x
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.2 s390x
  • Red Hat Enterprise Linux for Power, little endian 9 ppc64le
  • Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.2 ppc64le
  • Red Hat Enterprise Linux for ARM 64 9 aarch64
  • Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.2 aarch64
  • Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.2 ppc64le
  • Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.2 x86_64
  • Red Hat Enterprise Linux Server for ARM 64 - 4 years of updates 9.2 aarch64
  • Red Hat Enterprise Linux Server for IBM z Systems - 4 years of updates 9.2 s390x

Fixes

  • BZ - 2222692 - CVE-2023-38200 keylime: registrar is subject to a DoS against SSL connections
  • BZ - 2222693 - CVE-2023-38201 Keylime: challenge-response protocol bypass during agent registration

Red Hat Enterprise Linux for x86_64 9

SRPM

keylime-6.5.2-6.el9_2.src.rpm

SHA-256: d56ed9ac676afc559f5c8e54456247a345e1d6e1db66f0a6fac02710b25061e5

x86_64

keylime-6.5.2-6.el9_2.x86_64.rpm

SHA-256: 46281fa29a7a3a68d3bff02cd62cee15ad3035bb39efbd1d378d0e225eef9e05

keylime-base-6.5.2-6.el9_2.x86_64.rpm

SHA-256: 3b30951cbf5e6b2003664b14366667b03341ea109efdb2349a215e26fd180a07

keylime-registrar-6.5.2-6.el9_2.x86_64.rpm

SHA-256: 409bd9b62135765002121d31a0552dde3a7260d931a90fef42cda52aca04106a

keylime-selinux-6.5.2-6.el9_2.noarch.rpm

SHA-256: 7d30381dcec41faf2c3b29103ac96e361657cc28833a653fd2a61359d37c5e88

keylime-tenant-6.5.2-6.el9_2.x86_64.rpm

SHA-256: d3f093b0255c9557ce589cfcf307bc850b4aeb62f1967605450a70bf13040bc0

keylime-verifier-6.5.2-6.el9_2.x86_64.rpm

SHA-256: 24db7b05ad84e1860859cc692e76132bd476b549d448e147f1db4ed51c450d71

python3-keylime-6.5.2-6.el9_2.x86_64.rpm

SHA-256: 76d842dff47d48aecc329d98c73a31f2eb5aca29a46f8778738c61ab65cf830e

Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.2

SRPM

keylime-6.5.2-6.el9_2.src.rpm

SHA-256: d56ed9ac676afc559f5c8e54456247a345e1d6e1db66f0a6fac02710b25061e5

x86_64

keylime-6.5.2-6.el9_2.x86_64.rpm

SHA-256: 46281fa29a7a3a68d3bff02cd62cee15ad3035bb39efbd1d378d0e225eef9e05

keylime-base-6.5.2-6.el9_2.x86_64.rpm

SHA-256: 3b30951cbf5e6b2003664b14366667b03341ea109efdb2349a215e26fd180a07

keylime-registrar-6.5.2-6.el9_2.x86_64.rpm

SHA-256: 409bd9b62135765002121d31a0552dde3a7260d931a90fef42cda52aca04106a

keylime-selinux-6.5.2-6.el9_2.noarch.rpm

SHA-256: 7d30381dcec41faf2c3b29103ac96e361657cc28833a653fd2a61359d37c5e88

keylime-tenant-6.5.2-6.el9_2.x86_64.rpm

SHA-256: d3f093b0255c9557ce589cfcf307bc850b4aeb62f1967605450a70bf13040bc0

keylime-verifier-6.5.2-6.el9_2.x86_64.rpm

SHA-256: 24db7b05ad84e1860859cc692e76132bd476b549d448e147f1db4ed51c450d71

python3-keylime-6.5.2-6.el9_2.x86_64.rpm

SHA-256: 76d842dff47d48aecc329d98c73a31f2eb5aca29a46f8778738c61ab65cf830e

Red Hat Enterprise Linux Server - AUS 9.2

SRPM

keylime-6.5.2-6.el9_2.src.rpm

SHA-256: d56ed9ac676afc559f5c8e54456247a345e1d6e1db66f0a6fac02710b25061e5

x86_64

keylime-6.5.2-6.el9_2.x86_64.rpm

SHA-256: 46281fa29a7a3a68d3bff02cd62cee15ad3035bb39efbd1d378d0e225eef9e05

keylime-base-6.5.2-6.el9_2.x86_64.rpm

SHA-256: 3b30951cbf5e6b2003664b14366667b03341ea109efdb2349a215e26fd180a07

keylime-registrar-6.5.2-6.el9_2.x86_64.rpm

SHA-256: 409bd9b62135765002121d31a0552dde3a7260d931a90fef42cda52aca04106a

keylime-selinux-6.5.2-6.el9_2.noarch.rpm

SHA-256: 7d30381dcec41faf2c3b29103ac96e361657cc28833a653fd2a61359d37c5e88

keylime-tenant-6.5.2-6.el9_2.x86_64.rpm

SHA-256: d3f093b0255c9557ce589cfcf307bc850b4aeb62f1967605450a70bf13040bc0

keylime-verifier-6.5.2-6.el9_2.x86_64.rpm

SHA-256: 24db7b05ad84e1860859cc692e76132bd476b549d448e147f1db4ed51c450d71

python3-keylime-6.5.2-6.el9_2.x86_64.rpm

SHA-256: 76d842dff47d48aecc329d98c73a31f2eb5aca29a46f8778738c61ab65cf830e

Red Hat Enterprise Linux for IBM z Systems 9

SRPM

keylime-6.5.2-6.el9_2.src.rpm

SHA-256: d56ed9ac676afc559f5c8e54456247a345e1d6e1db66f0a6fac02710b25061e5

s390x

keylime-6.5.2-6.el9_2.s390x.rpm

SHA-256: 436b8b9cdfd91b145f35c2c9a9da78be3ef778d16792b0a0a877184bba1a9331

keylime-base-6.5.2-6.el9_2.s390x.rpm

SHA-256: 7de6f322b19bd2a0e4463209a03f56cbfb55b6396376edceda25f7c12f08adf5

keylime-registrar-6.5.2-6.el9_2.s390x.rpm

SHA-256: 8c6014ab3706df42f74107063c4af512b6df8ade72ebda266cf996b33f238824

keylime-selinux-6.5.2-6.el9_2.noarch.rpm

SHA-256: 7d30381dcec41faf2c3b29103ac96e361657cc28833a653fd2a61359d37c5e88

keylime-tenant-6.5.2-6.el9_2.s390x.rpm

SHA-256: 4016103f3caefed41f33e948cd2d242e3a58e75f2b3420c013f349db7e9e9aa1

keylime-verifier-6.5.2-6.el9_2.s390x.rpm

SHA-256: 9b06e51824fea9550eeea2362be5be30c1c305d079996a3e781a49db792e0d06

python3-keylime-6.5.2-6.el9_2.s390x.rpm

SHA-256: 58084c37eb1568b93223c0782b8a03a6f65db92f00c290a3ea517249fe1b4970

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.2

SRPM

keylime-6.5.2-6.el9_2.src.rpm

SHA-256: d56ed9ac676afc559f5c8e54456247a345e1d6e1db66f0a6fac02710b25061e5

s390x

keylime-6.5.2-6.el9_2.s390x.rpm

SHA-256: 436b8b9cdfd91b145f35c2c9a9da78be3ef778d16792b0a0a877184bba1a9331

keylime-base-6.5.2-6.el9_2.s390x.rpm

SHA-256: 7de6f322b19bd2a0e4463209a03f56cbfb55b6396376edceda25f7c12f08adf5

keylime-registrar-6.5.2-6.el9_2.s390x.rpm

SHA-256: 8c6014ab3706df42f74107063c4af512b6df8ade72ebda266cf996b33f238824

keylime-selinux-6.5.2-6.el9_2.noarch.rpm

SHA-256: 7d30381dcec41faf2c3b29103ac96e361657cc28833a653fd2a61359d37c5e88

keylime-tenant-6.5.2-6.el9_2.s390x.rpm

SHA-256: 4016103f3caefed41f33e948cd2d242e3a58e75f2b3420c013f349db7e9e9aa1

keylime-verifier-6.5.2-6.el9_2.s390x.rpm

SHA-256: 9b06e51824fea9550eeea2362be5be30c1c305d079996a3e781a49db792e0d06

python3-keylime-6.5.2-6.el9_2.s390x.rpm

SHA-256: 58084c37eb1568b93223c0782b8a03a6f65db92f00c290a3ea517249fe1b4970

Red Hat Enterprise Linux for Power, little endian 9

SRPM

keylime-6.5.2-6.el9_2.src.rpm

SHA-256: d56ed9ac676afc559f5c8e54456247a345e1d6e1db66f0a6fac02710b25061e5

ppc64le

keylime-6.5.2-6.el9_2.ppc64le.rpm

SHA-256: d6d7ace6f1707e8bf2216dc431cb344572ed4edae760587f8ed4c9f837878c66

keylime-base-6.5.2-6.el9_2.ppc64le.rpm

SHA-256: 84379879bde0d436094e56f874cc53a0423a7cf3a0ab5917b3e631b5675cfe6e

keylime-registrar-6.5.2-6.el9_2.ppc64le.rpm

SHA-256: fa6b89ea6818d50aa2d57fd7a1ce04452a894018447181a643aec5d8d7139e66

keylime-selinux-6.5.2-6.el9_2.noarch.rpm

SHA-256: 7d30381dcec41faf2c3b29103ac96e361657cc28833a653fd2a61359d37c5e88

keylime-tenant-6.5.2-6.el9_2.ppc64le.rpm

SHA-256: 85f657732db64db0d78e16de760fc782bb4449ad708c4d07a0fed6bb194d85a5

keylime-verifier-6.5.2-6.el9_2.ppc64le.rpm

SHA-256: ca674249611ff663785eccf6dab21abaf1e3a7f5a76ddc64a5a2a4ee70d52e64

python3-keylime-6.5.2-6.el9_2.ppc64le.rpm

SHA-256: ea3a62466a27ad70a1dc480c1815d39153b95ec3e9f24829b7a7144c6b0cc788

Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.2

SRPM

keylime-6.5.2-6.el9_2.src.rpm

SHA-256: d56ed9ac676afc559f5c8e54456247a345e1d6e1db66f0a6fac02710b25061e5

ppc64le

keylime-6.5.2-6.el9_2.ppc64le.rpm

SHA-256: d6d7ace6f1707e8bf2216dc431cb344572ed4edae760587f8ed4c9f837878c66

keylime-base-6.5.2-6.el9_2.ppc64le.rpm

SHA-256: 84379879bde0d436094e56f874cc53a0423a7cf3a0ab5917b3e631b5675cfe6e

keylime-registrar-6.5.2-6.el9_2.ppc64le.rpm

SHA-256: fa6b89ea6818d50aa2d57fd7a1ce04452a894018447181a643aec5d8d7139e66

keylime-selinux-6.5.2-6.el9_2.noarch.rpm

SHA-256: 7d30381dcec41faf2c3b29103ac96e361657cc28833a653fd2a61359d37c5e88

keylime-tenant-6.5.2-6.el9_2.ppc64le.rpm

SHA-256: 85f657732db64db0d78e16de760fc782bb4449ad708c4d07a0fed6bb194d85a5

keylime-verifier-6.5.2-6.el9_2.ppc64le.rpm

SHA-256: ca674249611ff663785eccf6dab21abaf1e3a7f5a76ddc64a5a2a4ee70d52e64

python3-keylime-6.5.2-6.el9_2.ppc64le.rpm

SHA-256: ea3a62466a27ad70a1dc480c1815d39153b95ec3e9f24829b7a7144c6b0cc788

Red Hat Enterprise Linux for ARM 64 9

SRPM

keylime-6.5.2-6.el9_2.src.rpm

SHA-256: d56ed9ac676afc559f5c8e54456247a345e1d6e1db66f0a6fac02710b25061e5

aarch64

keylime-6.5.2-6.el9_2.aarch64.rpm

SHA-256: 58be3e060f66d39c308e33fcd135b0410f3a18046af841c1dc8884652d810458

keylime-base-6.5.2-6.el9_2.aarch64.rpm

SHA-256: 3dcd301132ab59bd52a509cfeb7f93bf6b1179abd2e670b30a26a6ccf7dd5346

keylime-registrar-6.5.2-6.el9_2.aarch64.rpm

SHA-256: ec7f8aad4f235165602fe811c5a38c40db4762958ec6f3ae26005470dcf80d44

keylime-selinux-6.5.2-6.el9_2.noarch.rpm

SHA-256: 7d30381dcec41faf2c3b29103ac96e361657cc28833a653fd2a61359d37c5e88

keylime-tenant-6.5.2-6.el9_2.aarch64.rpm

SHA-256: ab01c92f68bfa2cae99caee5803569a9474e13851a38b2b79c5c33c2e679813a

keylime-verifier-6.5.2-6.el9_2.aarch64.rpm

SHA-256: 439462ab8152a344f5931351f93969b40a0aeab9ff06baafd4e7818c367c2cfa

python3-keylime-6.5.2-6.el9_2.aarch64.rpm

SHA-256: 4c230f80e617d3f31a2f2a635c9e39d62ac2760b53a9f7bf9b1086158feeab30

Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.2

SRPM

keylime-6.5.2-6.el9_2.src.rpm

SHA-256: d56ed9ac676afc559f5c8e54456247a345e1d6e1db66f0a6fac02710b25061e5

aarch64

keylime-6.5.2-6.el9_2.aarch64.rpm

SHA-256: 58be3e060f66d39c308e33fcd135b0410f3a18046af841c1dc8884652d810458

keylime-base-6.5.2-6.el9_2.aarch64.rpm

SHA-256: 3dcd301132ab59bd52a509cfeb7f93bf6b1179abd2e670b30a26a6ccf7dd5346

keylime-registrar-6.5.2-6.el9_2.aarch64.rpm

SHA-256: ec7f8aad4f235165602fe811c5a38c40db4762958ec6f3ae26005470dcf80d44

keylime-selinux-6.5.2-6.el9_2.noarch.rpm

SHA-256: 7d30381dcec41faf2c3b29103ac96e361657cc28833a653fd2a61359d37c5e88

keylime-tenant-6.5.2-6.el9_2.aarch64.rpm

SHA-256: ab01c92f68bfa2cae99caee5803569a9474e13851a38b2b79c5c33c2e679813a

keylime-verifier-6.5.2-6.el9_2.aarch64.rpm

SHA-256: 439462ab8152a344f5931351f93969b40a0aeab9ff06baafd4e7818c367c2cfa

python3-keylime-6.5.2-6.el9_2.aarch64.rpm

SHA-256: 4c230f80e617d3f31a2f2a635c9e39d62ac2760b53a9f7bf9b1086158feeab30

Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.2

SRPM

keylime-6.5.2-6.el9_2.src.rpm

SHA-256: d56ed9ac676afc559f5c8e54456247a345e1d6e1db66f0a6fac02710b25061e5

ppc64le

keylime-6.5.2-6.el9_2.ppc64le.rpm

SHA-256: d6d7ace6f1707e8bf2216dc431cb344572ed4edae760587f8ed4c9f837878c66

keylime-base-6.5.2-6.el9_2.ppc64le.rpm

SHA-256: 84379879bde0d436094e56f874cc53a0423a7cf3a0ab5917b3e631b5675cfe6e

keylime-registrar-6.5.2-6.el9_2.ppc64le.rpm

SHA-256: fa6b89ea6818d50aa2d57fd7a1ce04452a894018447181a643aec5d8d7139e66

keylime-selinux-6.5.2-6.el9_2.noarch.rpm

SHA-256: 7d30381dcec41faf2c3b29103ac96e361657cc28833a653fd2a61359d37c5e88

keylime-tenant-6.5.2-6.el9_2.ppc64le.rpm

SHA-256: 85f657732db64db0d78e16de760fc782bb4449ad708c4d07a0fed6bb194d85a5

keylime-verifier-6.5.2-6.el9_2.ppc64le.rpm

SHA-256: ca674249611ff663785eccf6dab21abaf1e3a7f5a76ddc64a5a2a4ee70d52e64

python3-keylime-6.5.2-6.el9_2.ppc64le.rpm

SHA-256: ea3a62466a27ad70a1dc480c1815d39153b95ec3e9f24829b7a7144c6b0cc788

Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.2

SRPM

keylime-6.5.2-6.el9_2.src.rpm

SHA-256: d56ed9ac676afc559f5c8e54456247a345e1d6e1db66f0a6fac02710b25061e5

x86_64

keylime-6.5.2-6.el9_2.x86_64.rpm

SHA-256: 46281fa29a7a3a68d3bff02cd62cee15ad3035bb39efbd1d378d0e225eef9e05

keylime-base-6.5.2-6.el9_2.x86_64.rpm

SHA-256: 3b30951cbf5e6b2003664b14366667b03341ea109efdb2349a215e26fd180a07

keylime-registrar-6.5.2-6.el9_2.x86_64.rpm

SHA-256: 409bd9b62135765002121d31a0552dde3a7260d931a90fef42cda52aca04106a

keylime-selinux-6.5.2-6.el9_2.noarch.rpm

SHA-256: 7d30381dcec41faf2c3b29103ac96e361657cc28833a653fd2a61359d37c5e88

keylime-tenant-6.5.2-6.el9_2.x86_64.rpm

SHA-256: d3f093b0255c9557ce589cfcf307bc850b4aeb62f1967605450a70bf13040bc0

keylime-verifier-6.5.2-6.el9_2.x86_64.rpm

SHA-256: 24db7b05ad84e1860859cc692e76132bd476b549d448e147f1db4ed51c450d71

python3-keylime-6.5.2-6.el9_2.x86_64.rpm

SHA-256: 76d842dff47d48aecc329d98c73a31f2eb5aca29a46f8778738c61ab65cf830e

Red Hat Enterprise Linux Server for ARM 64 - 4 years of updates 9.2

SRPM

keylime-6.5.2-6.el9_2.src.rpm

SHA-256: d56ed9ac676afc559f5c8e54456247a345e1d6e1db66f0a6fac02710b25061e5

aarch64

keylime-6.5.2-6.el9_2.aarch64.rpm

SHA-256: 58be3e060f66d39c308e33fcd135b0410f3a18046af841c1dc8884652d810458

keylime-base-6.5.2-6.el9_2.aarch64.rpm

SHA-256: 3dcd301132ab59bd52a509cfeb7f93bf6b1179abd2e670b30a26a6ccf7dd5346

keylime-registrar-6.5.2-6.el9_2.aarch64.rpm

SHA-256: ec7f8aad4f235165602fe811c5a38c40db4762958ec6f3ae26005470dcf80d44

keylime-selinux-6.5.2-6.el9_2.noarch.rpm

SHA-256: 7d30381dcec41faf2c3b29103ac96e361657cc28833a653fd2a61359d37c5e88

keylime-tenant-6.5.2-6.el9_2.aarch64.rpm

SHA-256: ab01c92f68bfa2cae99caee5803569a9474e13851a38b2b79c5c33c2e679813a

keylime-verifier-6.5.2-6.el9_2.aarch64.rpm

SHA-256: 439462ab8152a344f5931351f93969b40a0aeab9ff06baafd4e7818c367c2cfa

python3-keylime-6.5.2-6.el9_2.aarch64.rpm

SHA-256: 4c230f80e617d3f31a2f2a635c9e39d62ac2760b53a9f7bf9b1086158feeab30

Red Hat Enterprise Linux Server for IBM z Systems - 4 years of updates 9.2

SRPM

keylime-6.5.2-6.el9_2.src.rpm

SHA-256: d56ed9ac676afc559f5c8e54456247a345e1d6e1db66f0a6fac02710b25061e5

s390x

keylime-6.5.2-6.el9_2.s390x.rpm

SHA-256: 436b8b9cdfd91b145f35c2c9a9da78be3ef778d16792b0a0a877184bba1a9331

keylime-base-6.5.2-6.el9_2.s390x.rpm

SHA-256: 7de6f322b19bd2a0e4463209a03f56cbfb55b6396376edceda25f7c12f08adf5

keylime-registrar-6.5.2-6.el9_2.s390x.rpm

SHA-256: 8c6014ab3706df42f74107063c4af512b6df8ade72ebda266cf996b33f238824

keylime-selinux-6.5.2-6.el9_2.noarch.rpm

SHA-256: 7d30381dcec41faf2c3b29103ac96e361657cc28833a653fd2a61359d37c5e88

keylime-tenant-6.5.2-6.el9_2.s390x.rpm

SHA-256: 4016103f3caefed41f33e948cd2d242e3a58e75f2b3420c013f349db7e9e9aa1

keylime-verifier-6.5.2-6.el9_2.s390x.rpm

SHA-256: 9b06e51824fea9550eeea2362be5be30c1c305d079996a3e781a49db792e0d06

python3-keylime-6.5.2-6.el9_2.s390x.rpm

SHA-256: 58084c37eb1568b93223c0782b8a03a6f65db92f00c290a3ea517249fe1b4970

Related news

Red Hat Security Advisory 2023-5080-01

Red Hat Security Advisory 2023-5080-01 - Keylime is a TPM based highly scalable remote boot attestation and runtime integrity measurement solution. Issues addressed include bypass and denial of service vulnerabilities.

GHSA-f4r5-q63f-gcww: Keylime registrar and (untrusted) Agent can be bypassed by an attacker

### Impact A security issue was found in the Keylime `registrar` code which allows an attacker to effectively bypass the challenge-response protocol used to verify that an `agent` has indeed access to an AIK which in indeed related to the EK. When an `agent` starts up, it will contact a `registrar` and provide a public EK and public AIK, in addition to the EK Certificate. This `registrar` will then challenge the `agent` to decrypt a challenge encrypted with the EK. When receiving the wrong "auth_tag" back from the `agent` during activation, the `registrar` answers with an error message that contains the expected correct "auth_tag" (an HMAC which is calculated within the `registrar` for checking). An attacker could simply record the correct expected "auth_tag" from the HTTP error message and perform the activate call again with the correct expected "auth_tag" for the `agent`. The security issue allows an attacker to pass the challenge-response protocol during registration with (alm...

CVE-2023-38201: cve-details

A flaw was found in the Keylime registrar that could allow a bypass of the challenge-response protocol during agent registration. This issue may allow an attacker to impersonate an agent and hide the true status of a monitored machine if the fake agent is added to the verifier list by a legitimate user, resulting in a breach of the integrity of the registrar database.

GHSA-pg75-v6fp-8q59: Keylime's registrar vulnerable to Denial-of-service attack via a single open connection

### Impact Keylime `registrar` is prone to a simple denial of service attack in which an adversary opens a connection to the TLS port (by default, port `8891`) blocking further, legitimate connections. As long as the connection is open, the `registrar` is blocked and cannot serve any further clients (`agents` and `tenants`), which prevents normal operation. The problem does not affect the `verifier`. ### Patches Users should upgrade to release 7.4.0

CVE-2023-38200: cve-details

A flaw was found in Keylime. Due to their blocking nature, the Keylime registrar is subject to a remote denial of service against its SSL connections. This flaw allows an attacker to exhaust all available connections.