---

CVE-2021-3565 - log back

CVE-2021-3565 edited at 21 Jun 2021 15:51:32
References	https://bugzilla.redhat.com/show_bug.cgi?id=1964427 https://github.com/tpm2-software/tpm2-tools/issues/2738 https://github.com/tpm2-software/tpm2-tools/pull/2739 - https://github.com/tpm2-software/tpm2-tools/commit/c069e4f179d5e6653a84fb236816c375dca82515 + https://github.com/tpm2-software/tpm2-tools/commit/47b3b6e6fffed7080a2f1ce7673207ea44823ef7

CVE-2021-3565 edited at 04 Jun 2021 14:49:29

Description

- During the tpm2_import command invocation a fixed AES wrapping key is used. This presents a weakness in that, when no encrypted session with the TPM is used, the encrypted inner wrapper key is known and thus an entity performing a man-in-the-middle (MITM) attack on the TPM would be able to unwrap the inner portion and reveal the key being imported. + A security issue was found in tpm2-tools before version 5.1.1. tpm2_import used a fixed AES key for the inner wrapper, potentially allowing a man-in-the-middle (MITM) attacker to unwrap the inner portion and reveal the key being imported.

CVE-2021-3565 edited at 25 May 2021 21:56:45
References	https://bugzilla.redhat.com/show_bug.cgi?id=1964427 https://github.com/tpm2-software/tpm2-tools/issues/2738 https://github.com/tpm2-software/tpm2-tools/pull/2739 + https://github.com/tpm2-software/tpm2-tools/commit/c069e4f179d5e6653a84fb236816c375dca82515

CVE-2021-3565 edited at 25 May 2021 14:01:23
References	https://bugzilla.redhat.com/show_bug.cgi?id=1964427 + https://github.com/tpm2-software/tpm2-tools/issues/2738 https://github.com/tpm2-software/tpm2-tools/pull/2739

CVE-2021-3565 edited at 25 May 2021 13:57:36
References	https://bugzilla.redhat.com/show_bug.cgi?id=1964427 - https://github.com/tpm2-software/tpm2-tools/blob/5.1/tools/tpm2_import.c#L121 + https://github.com/tpm2-software/tpm2-tools/pull/2739

CVE-2021-3565 edited at 25 May 2021 13:56:07
Severity	- Unknown + Low
Remote	- Unknown + Local
Type	- Unknown + Man-in-the-middle
Description	+ During the tpm2_import command invocation a fixed AES wrapping key is used. This presents a weakness in that, when no encrypted session with the TPM is used, the encrypted inner wrapper key is known and thus an entity performing a man-in-the-middle (MITM) attack on the TPM would be able to unwrap the inner portion and reveal the key being imported.
References	+ https://bugzilla.redhat.com/show_bug.cgi?id=1964427 + https://github.com/tpm2-software/tpm2-tools/blob/5.1/tools/tpm2_import.c#L121
Notes

CVE-2021-3565 created at 25 May 2021 13:54:35