Headline
RHSA-2023:5080: Red Hat Security Advisory: keylime security update
An update for keylime is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2023-38200: A flaw was found in Keylime. Due to their blocking nature, the Keylime registrar is subject to a remote denial of service against its SSL connections. This flaw allows an attacker to exhaust all available connections.
- CVE-2023-38201: A flaw was found in the Keylime registrar that could allow a bypass of the challenge-response protocol during agent registration. This issue may allow an attacker to impersonate an agent and hide the true status of a monitored machine if the fake agent is added to the verifier list by a legitimate user, resulting in a breach of the integrity of the registrar database.
Synopsis
Moderate: keylime security update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for keylime is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Keylime is a TPM based highly scalable remote boot attestation and runtime integrity measurement solution.
Security Fix(es):
- keylime: registrar is subject to a DoS against SSL connections (CVE-2023-38200)
- Keylime: challenge-response protocol bypass during agent registration (CVE-2023-38201)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Products
- Red Hat Enterprise Linux for x86_64 9 x86_64
- Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.2 x86_64
- Red Hat Enterprise Linux Server - AUS 9.2 x86_64
- Red Hat Enterprise Linux for IBM z Systems 9 s390x
- Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.2 s390x
- Red Hat Enterprise Linux for Power, little endian 9 ppc64le
- Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.2 ppc64le
- Red Hat Enterprise Linux for ARM 64 9 aarch64
- Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.2 aarch64
- Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.2 ppc64le
- Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.2 x86_64
- Red Hat Enterprise Linux Server for ARM 64 - 4 years of updates 9.2 aarch64
- Red Hat Enterprise Linux Server for IBM z Systems - 4 years of updates 9.2 s390x
Fixes
- BZ - 2222692 - CVE-2023-38200 keylime: registrar is subject to a DoS against SSL connections
- BZ - 2222693 - CVE-2023-38201 Keylime: challenge-response protocol bypass during agent registration
Red Hat Enterprise Linux for x86_64 9
SRPM
keylime-6.5.2-6.el9_2.src.rpm
SHA-256: d56ed9ac676afc559f5c8e54456247a345e1d6e1db66f0a6fac02710b25061e5
x86_64
keylime-6.5.2-6.el9_2.x86_64.rpm
SHA-256: 46281fa29a7a3a68d3bff02cd62cee15ad3035bb39efbd1d378d0e225eef9e05
keylime-base-6.5.2-6.el9_2.x86_64.rpm
SHA-256: 3b30951cbf5e6b2003664b14366667b03341ea109efdb2349a215e26fd180a07
keylime-registrar-6.5.2-6.el9_2.x86_64.rpm
SHA-256: 409bd9b62135765002121d31a0552dde3a7260d931a90fef42cda52aca04106a
keylime-selinux-6.5.2-6.el9_2.noarch.rpm
SHA-256: 7d30381dcec41faf2c3b29103ac96e361657cc28833a653fd2a61359d37c5e88
keylime-tenant-6.5.2-6.el9_2.x86_64.rpm
SHA-256: d3f093b0255c9557ce589cfcf307bc850b4aeb62f1967605450a70bf13040bc0
keylime-verifier-6.5.2-6.el9_2.x86_64.rpm
SHA-256: 24db7b05ad84e1860859cc692e76132bd476b549d448e147f1db4ed51c450d71
python3-keylime-6.5.2-6.el9_2.x86_64.rpm
SHA-256: 76d842dff47d48aecc329d98c73a31f2eb5aca29a46f8778738c61ab65cf830e
Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.2
SRPM
keylime-6.5.2-6.el9_2.src.rpm
SHA-256: d56ed9ac676afc559f5c8e54456247a345e1d6e1db66f0a6fac02710b25061e5
x86_64
keylime-6.5.2-6.el9_2.x86_64.rpm
SHA-256: 46281fa29a7a3a68d3bff02cd62cee15ad3035bb39efbd1d378d0e225eef9e05
keylime-base-6.5.2-6.el9_2.x86_64.rpm
SHA-256: 3b30951cbf5e6b2003664b14366667b03341ea109efdb2349a215e26fd180a07
keylime-registrar-6.5.2-6.el9_2.x86_64.rpm
SHA-256: 409bd9b62135765002121d31a0552dde3a7260d931a90fef42cda52aca04106a
keylime-selinux-6.5.2-6.el9_2.noarch.rpm
SHA-256: 7d30381dcec41faf2c3b29103ac96e361657cc28833a653fd2a61359d37c5e88
keylime-tenant-6.5.2-6.el9_2.x86_64.rpm
SHA-256: d3f093b0255c9557ce589cfcf307bc850b4aeb62f1967605450a70bf13040bc0
keylime-verifier-6.5.2-6.el9_2.x86_64.rpm
SHA-256: 24db7b05ad84e1860859cc692e76132bd476b549d448e147f1db4ed51c450d71
python3-keylime-6.5.2-6.el9_2.x86_64.rpm
SHA-256: 76d842dff47d48aecc329d98c73a31f2eb5aca29a46f8778738c61ab65cf830e
Red Hat Enterprise Linux Server - AUS 9.2
SRPM
keylime-6.5.2-6.el9_2.src.rpm
SHA-256: d56ed9ac676afc559f5c8e54456247a345e1d6e1db66f0a6fac02710b25061e5
x86_64
keylime-6.5.2-6.el9_2.x86_64.rpm
SHA-256: 46281fa29a7a3a68d3bff02cd62cee15ad3035bb39efbd1d378d0e225eef9e05
keylime-base-6.5.2-6.el9_2.x86_64.rpm
SHA-256: 3b30951cbf5e6b2003664b14366667b03341ea109efdb2349a215e26fd180a07
keylime-registrar-6.5.2-6.el9_2.x86_64.rpm
SHA-256: 409bd9b62135765002121d31a0552dde3a7260d931a90fef42cda52aca04106a
keylime-selinux-6.5.2-6.el9_2.noarch.rpm
SHA-256: 7d30381dcec41faf2c3b29103ac96e361657cc28833a653fd2a61359d37c5e88
keylime-tenant-6.5.2-6.el9_2.x86_64.rpm
SHA-256: d3f093b0255c9557ce589cfcf307bc850b4aeb62f1967605450a70bf13040bc0
keylime-verifier-6.5.2-6.el9_2.x86_64.rpm
SHA-256: 24db7b05ad84e1860859cc692e76132bd476b549d448e147f1db4ed51c450d71
python3-keylime-6.5.2-6.el9_2.x86_64.rpm
SHA-256: 76d842dff47d48aecc329d98c73a31f2eb5aca29a46f8778738c61ab65cf830e
Red Hat Enterprise Linux for IBM z Systems 9
SRPM
keylime-6.5.2-6.el9_2.src.rpm
SHA-256: d56ed9ac676afc559f5c8e54456247a345e1d6e1db66f0a6fac02710b25061e5
s390x
keylime-6.5.2-6.el9_2.s390x.rpm
SHA-256: 436b8b9cdfd91b145f35c2c9a9da78be3ef778d16792b0a0a877184bba1a9331
keylime-base-6.5.2-6.el9_2.s390x.rpm
SHA-256: 7de6f322b19bd2a0e4463209a03f56cbfb55b6396376edceda25f7c12f08adf5
keylime-registrar-6.5.2-6.el9_2.s390x.rpm
SHA-256: 8c6014ab3706df42f74107063c4af512b6df8ade72ebda266cf996b33f238824
keylime-selinux-6.5.2-6.el9_2.noarch.rpm
SHA-256: 7d30381dcec41faf2c3b29103ac96e361657cc28833a653fd2a61359d37c5e88
keylime-tenant-6.5.2-6.el9_2.s390x.rpm
SHA-256: 4016103f3caefed41f33e948cd2d242e3a58e75f2b3420c013f349db7e9e9aa1
keylime-verifier-6.5.2-6.el9_2.s390x.rpm
SHA-256: 9b06e51824fea9550eeea2362be5be30c1c305d079996a3e781a49db792e0d06
python3-keylime-6.5.2-6.el9_2.s390x.rpm
SHA-256: 58084c37eb1568b93223c0782b8a03a6f65db92f00c290a3ea517249fe1b4970
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.2
SRPM
keylime-6.5.2-6.el9_2.src.rpm
SHA-256: d56ed9ac676afc559f5c8e54456247a345e1d6e1db66f0a6fac02710b25061e5
s390x
keylime-6.5.2-6.el9_2.s390x.rpm
SHA-256: 436b8b9cdfd91b145f35c2c9a9da78be3ef778d16792b0a0a877184bba1a9331
keylime-base-6.5.2-6.el9_2.s390x.rpm
SHA-256: 7de6f322b19bd2a0e4463209a03f56cbfb55b6396376edceda25f7c12f08adf5
keylime-registrar-6.5.2-6.el9_2.s390x.rpm
SHA-256: 8c6014ab3706df42f74107063c4af512b6df8ade72ebda266cf996b33f238824
keylime-selinux-6.5.2-6.el9_2.noarch.rpm
SHA-256: 7d30381dcec41faf2c3b29103ac96e361657cc28833a653fd2a61359d37c5e88
keylime-tenant-6.5.2-6.el9_2.s390x.rpm
SHA-256: 4016103f3caefed41f33e948cd2d242e3a58e75f2b3420c013f349db7e9e9aa1
keylime-verifier-6.5.2-6.el9_2.s390x.rpm
SHA-256: 9b06e51824fea9550eeea2362be5be30c1c305d079996a3e781a49db792e0d06
python3-keylime-6.5.2-6.el9_2.s390x.rpm
SHA-256: 58084c37eb1568b93223c0782b8a03a6f65db92f00c290a3ea517249fe1b4970
Red Hat Enterprise Linux for Power, little endian 9
SRPM
keylime-6.5.2-6.el9_2.src.rpm
SHA-256: d56ed9ac676afc559f5c8e54456247a345e1d6e1db66f0a6fac02710b25061e5
ppc64le
keylime-6.5.2-6.el9_2.ppc64le.rpm
SHA-256: d6d7ace6f1707e8bf2216dc431cb344572ed4edae760587f8ed4c9f837878c66
keylime-base-6.5.2-6.el9_2.ppc64le.rpm
SHA-256: 84379879bde0d436094e56f874cc53a0423a7cf3a0ab5917b3e631b5675cfe6e
keylime-registrar-6.5.2-6.el9_2.ppc64le.rpm
SHA-256: fa6b89ea6818d50aa2d57fd7a1ce04452a894018447181a643aec5d8d7139e66
keylime-selinux-6.5.2-6.el9_2.noarch.rpm
SHA-256: 7d30381dcec41faf2c3b29103ac96e361657cc28833a653fd2a61359d37c5e88
keylime-tenant-6.5.2-6.el9_2.ppc64le.rpm
SHA-256: 85f657732db64db0d78e16de760fc782bb4449ad708c4d07a0fed6bb194d85a5
keylime-verifier-6.5.2-6.el9_2.ppc64le.rpm
SHA-256: ca674249611ff663785eccf6dab21abaf1e3a7f5a76ddc64a5a2a4ee70d52e64
python3-keylime-6.5.2-6.el9_2.ppc64le.rpm
SHA-256: ea3a62466a27ad70a1dc480c1815d39153b95ec3e9f24829b7a7144c6b0cc788
Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.2
SRPM
keylime-6.5.2-6.el9_2.src.rpm
SHA-256: d56ed9ac676afc559f5c8e54456247a345e1d6e1db66f0a6fac02710b25061e5
ppc64le
keylime-6.5.2-6.el9_2.ppc64le.rpm
SHA-256: d6d7ace6f1707e8bf2216dc431cb344572ed4edae760587f8ed4c9f837878c66
keylime-base-6.5.2-6.el9_2.ppc64le.rpm
SHA-256: 84379879bde0d436094e56f874cc53a0423a7cf3a0ab5917b3e631b5675cfe6e
keylime-registrar-6.5.2-6.el9_2.ppc64le.rpm
SHA-256: fa6b89ea6818d50aa2d57fd7a1ce04452a894018447181a643aec5d8d7139e66
keylime-selinux-6.5.2-6.el9_2.noarch.rpm
SHA-256: 7d30381dcec41faf2c3b29103ac96e361657cc28833a653fd2a61359d37c5e88
keylime-tenant-6.5.2-6.el9_2.ppc64le.rpm
SHA-256: 85f657732db64db0d78e16de760fc782bb4449ad708c4d07a0fed6bb194d85a5
keylime-verifier-6.5.2-6.el9_2.ppc64le.rpm
SHA-256: ca674249611ff663785eccf6dab21abaf1e3a7f5a76ddc64a5a2a4ee70d52e64
python3-keylime-6.5.2-6.el9_2.ppc64le.rpm
SHA-256: ea3a62466a27ad70a1dc480c1815d39153b95ec3e9f24829b7a7144c6b0cc788
Red Hat Enterprise Linux for ARM 64 9
SRPM
keylime-6.5.2-6.el9_2.src.rpm
SHA-256: d56ed9ac676afc559f5c8e54456247a345e1d6e1db66f0a6fac02710b25061e5
aarch64
keylime-6.5.2-6.el9_2.aarch64.rpm
SHA-256: 58be3e060f66d39c308e33fcd135b0410f3a18046af841c1dc8884652d810458
keylime-base-6.5.2-6.el9_2.aarch64.rpm
SHA-256: 3dcd301132ab59bd52a509cfeb7f93bf6b1179abd2e670b30a26a6ccf7dd5346
keylime-registrar-6.5.2-6.el9_2.aarch64.rpm
SHA-256: ec7f8aad4f235165602fe811c5a38c40db4762958ec6f3ae26005470dcf80d44
keylime-selinux-6.5.2-6.el9_2.noarch.rpm
SHA-256: 7d30381dcec41faf2c3b29103ac96e361657cc28833a653fd2a61359d37c5e88
keylime-tenant-6.5.2-6.el9_2.aarch64.rpm
SHA-256: ab01c92f68bfa2cae99caee5803569a9474e13851a38b2b79c5c33c2e679813a
keylime-verifier-6.5.2-6.el9_2.aarch64.rpm
SHA-256: 439462ab8152a344f5931351f93969b40a0aeab9ff06baafd4e7818c367c2cfa
python3-keylime-6.5.2-6.el9_2.aarch64.rpm
SHA-256: 4c230f80e617d3f31a2f2a635c9e39d62ac2760b53a9f7bf9b1086158feeab30
Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.2
SRPM
keylime-6.5.2-6.el9_2.src.rpm
SHA-256: d56ed9ac676afc559f5c8e54456247a345e1d6e1db66f0a6fac02710b25061e5
aarch64
keylime-6.5.2-6.el9_2.aarch64.rpm
SHA-256: 58be3e060f66d39c308e33fcd135b0410f3a18046af841c1dc8884652d810458
keylime-base-6.5.2-6.el9_2.aarch64.rpm
SHA-256: 3dcd301132ab59bd52a509cfeb7f93bf6b1179abd2e670b30a26a6ccf7dd5346
keylime-registrar-6.5.2-6.el9_2.aarch64.rpm
SHA-256: ec7f8aad4f235165602fe811c5a38c40db4762958ec6f3ae26005470dcf80d44
keylime-selinux-6.5.2-6.el9_2.noarch.rpm
SHA-256: 7d30381dcec41faf2c3b29103ac96e361657cc28833a653fd2a61359d37c5e88
keylime-tenant-6.5.2-6.el9_2.aarch64.rpm
SHA-256: ab01c92f68bfa2cae99caee5803569a9474e13851a38b2b79c5c33c2e679813a
keylime-verifier-6.5.2-6.el9_2.aarch64.rpm
SHA-256: 439462ab8152a344f5931351f93969b40a0aeab9ff06baafd4e7818c367c2cfa
python3-keylime-6.5.2-6.el9_2.aarch64.rpm
SHA-256: 4c230f80e617d3f31a2f2a635c9e39d62ac2760b53a9f7bf9b1086158feeab30
Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.2
SRPM
keylime-6.5.2-6.el9_2.src.rpm
SHA-256: d56ed9ac676afc559f5c8e54456247a345e1d6e1db66f0a6fac02710b25061e5
ppc64le
keylime-6.5.2-6.el9_2.ppc64le.rpm
SHA-256: d6d7ace6f1707e8bf2216dc431cb344572ed4edae760587f8ed4c9f837878c66
keylime-base-6.5.2-6.el9_2.ppc64le.rpm
SHA-256: 84379879bde0d436094e56f874cc53a0423a7cf3a0ab5917b3e631b5675cfe6e
keylime-registrar-6.5.2-6.el9_2.ppc64le.rpm
SHA-256: fa6b89ea6818d50aa2d57fd7a1ce04452a894018447181a643aec5d8d7139e66
keylime-selinux-6.5.2-6.el9_2.noarch.rpm
SHA-256: 7d30381dcec41faf2c3b29103ac96e361657cc28833a653fd2a61359d37c5e88
keylime-tenant-6.5.2-6.el9_2.ppc64le.rpm
SHA-256: 85f657732db64db0d78e16de760fc782bb4449ad708c4d07a0fed6bb194d85a5
keylime-verifier-6.5.2-6.el9_2.ppc64le.rpm
SHA-256: ca674249611ff663785eccf6dab21abaf1e3a7f5a76ddc64a5a2a4ee70d52e64
python3-keylime-6.5.2-6.el9_2.ppc64le.rpm
SHA-256: ea3a62466a27ad70a1dc480c1815d39153b95ec3e9f24829b7a7144c6b0cc788
Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.2
SRPM
keylime-6.5.2-6.el9_2.src.rpm
SHA-256: d56ed9ac676afc559f5c8e54456247a345e1d6e1db66f0a6fac02710b25061e5
x86_64
keylime-6.5.2-6.el9_2.x86_64.rpm
SHA-256: 46281fa29a7a3a68d3bff02cd62cee15ad3035bb39efbd1d378d0e225eef9e05
keylime-base-6.5.2-6.el9_2.x86_64.rpm
SHA-256: 3b30951cbf5e6b2003664b14366667b03341ea109efdb2349a215e26fd180a07
keylime-registrar-6.5.2-6.el9_2.x86_64.rpm
SHA-256: 409bd9b62135765002121d31a0552dde3a7260d931a90fef42cda52aca04106a
keylime-selinux-6.5.2-6.el9_2.noarch.rpm
SHA-256: 7d30381dcec41faf2c3b29103ac96e361657cc28833a653fd2a61359d37c5e88
keylime-tenant-6.5.2-6.el9_2.x86_64.rpm
SHA-256: d3f093b0255c9557ce589cfcf307bc850b4aeb62f1967605450a70bf13040bc0
keylime-verifier-6.5.2-6.el9_2.x86_64.rpm
SHA-256: 24db7b05ad84e1860859cc692e76132bd476b549d448e147f1db4ed51c450d71
python3-keylime-6.5.2-6.el9_2.x86_64.rpm
SHA-256: 76d842dff47d48aecc329d98c73a31f2eb5aca29a46f8778738c61ab65cf830e
Red Hat Enterprise Linux Server for ARM 64 - 4 years of updates 9.2
SRPM
keylime-6.5.2-6.el9_2.src.rpm
SHA-256: d56ed9ac676afc559f5c8e54456247a345e1d6e1db66f0a6fac02710b25061e5
aarch64
keylime-6.5.2-6.el9_2.aarch64.rpm
SHA-256: 58be3e060f66d39c308e33fcd135b0410f3a18046af841c1dc8884652d810458
keylime-base-6.5.2-6.el9_2.aarch64.rpm
SHA-256: 3dcd301132ab59bd52a509cfeb7f93bf6b1179abd2e670b30a26a6ccf7dd5346
keylime-registrar-6.5.2-6.el9_2.aarch64.rpm
SHA-256: ec7f8aad4f235165602fe811c5a38c40db4762958ec6f3ae26005470dcf80d44
keylime-selinux-6.5.2-6.el9_2.noarch.rpm
SHA-256: 7d30381dcec41faf2c3b29103ac96e361657cc28833a653fd2a61359d37c5e88
keylime-tenant-6.5.2-6.el9_2.aarch64.rpm
SHA-256: ab01c92f68bfa2cae99caee5803569a9474e13851a38b2b79c5c33c2e679813a
keylime-verifier-6.5.2-6.el9_2.aarch64.rpm
SHA-256: 439462ab8152a344f5931351f93969b40a0aeab9ff06baafd4e7818c367c2cfa
python3-keylime-6.5.2-6.el9_2.aarch64.rpm
SHA-256: 4c230f80e617d3f31a2f2a635c9e39d62ac2760b53a9f7bf9b1086158feeab30
Red Hat Enterprise Linux Server for IBM z Systems - 4 years of updates 9.2
SRPM
keylime-6.5.2-6.el9_2.src.rpm
SHA-256: d56ed9ac676afc559f5c8e54456247a345e1d6e1db66f0a6fac02710b25061e5
s390x
keylime-6.5.2-6.el9_2.s390x.rpm
SHA-256: 436b8b9cdfd91b145f35c2c9a9da78be3ef778d16792b0a0a877184bba1a9331
keylime-base-6.5.2-6.el9_2.s390x.rpm
SHA-256: 7de6f322b19bd2a0e4463209a03f56cbfb55b6396376edceda25f7c12f08adf5
keylime-registrar-6.5.2-6.el9_2.s390x.rpm
SHA-256: 8c6014ab3706df42f74107063c4af512b6df8ade72ebda266cf996b33f238824
keylime-selinux-6.5.2-6.el9_2.noarch.rpm
SHA-256: 7d30381dcec41faf2c3b29103ac96e361657cc28833a653fd2a61359d37c5e88
keylime-tenant-6.5.2-6.el9_2.s390x.rpm
SHA-256: 4016103f3caefed41f33e948cd2d242e3a58e75f2b3420c013f349db7e9e9aa1
keylime-verifier-6.5.2-6.el9_2.s390x.rpm
SHA-256: 9b06e51824fea9550eeea2362be5be30c1c305d079996a3e781a49db792e0d06
python3-keylime-6.5.2-6.el9_2.s390x.rpm
SHA-256: 58084c37eb1568b93223c0782b8a03a6f65db92f00c290a3ea517249fe1b4970
Related news
Red Hat Security Advisory 2023-5080-01 - Keylime is a TPM based highly scalable remote boot attestation and runtime integrity measurement solution. Issues addressed include bypass and denial of service vulnerabilities.
### Impact A security issue was found in the Keylime `registrar` code which allows an attacker to effectively bypass the challenge-response protocol used to verify that an `agent` has indeed access to an AIK which in indeed related to the EK. When an `agent` starts up, it will contact a `registrar` and provide a public EK and public AIK, in addition to the EK Certificate. This `registrar` will then challenge the `agent` to decrypt a challenge encrypted with the EK. When receiving the wrong "auth_tag" back from the `agent` during activation, the `registrar` answers with an error message that contains the expected correct "auth_tag" (an HMAC which is calculated within the `registrar` for checking). An attacker could simply record the correct expected "auth_tag" from the HTTP error message and perform the activate call again with the correct expected "auth_tag" for the `agent`. The security issue allows an attacker to pass the challenge-response protocol during registration with (alm...
A flaw was found in the Keylime registrar that could allow a bypass of the challenge-response protocol during agent registration. This issue may allow an attacker to impersonate an agent and hide the true status of a monitored machine if the fake agent is added to the verifier list by a legitimate user, resulting in a breach of the integrity of the registrar database.
### Impact Keylime `registrar` is prone to a simple denial of service attack in which an adversary opens a connection to the TLS port (by default, port `8891`) blocking further, legitimate connections. As long as the connection is open, the `registrar` is blocked and cannot serve any further clients (`agents` and `tenants`), which prevents normal operation. The problem does not affect the `verifier`. ### Patches Users should upgrade to release 7.4.0
A flaw was found in Keylime. Due to their blocking nature, the Keylime registrar is subject to a remote denial of service against its SSL connections. This flaw allows an attacker to exhaust all available connections.