Cas Cremers

**Name of the Vulnerable Software and Affected Versions** libspdm versions 1.0 through 2.3 **Description** A vulnerability has been identified in SPDM session establishment in libspdm. If a device supports both DHE session and PSK session with mutual authentication, an attacker may be able to establish the session with `KEY EXCHANGE` and `PSK FINISH` to bypass the mutual authentication. This issue only impacts the SPDM responder, which supports `KEY EX CAP=1` and `PSK CAP=10b` at the same time with mutual authentication requirement. The SPDM responder is not impacted if `KEY EX CAP=0` or `PSK CAP=0` or `PSK CAP=01b`, or if mutual authentication is not required. **Recommendations** For libspdm versions 1.0 through 2.3, update to version 2.3.1 or later to resolve the issue. As a temporary workaround, consider disabling the `KEY EXCHANGE` and `PSK FINISH` functions until a patch is available. Restrict access to the SPDM responder to minimize the risk of exploitation. Avoid using the `KEY EX CAP` and `PSK CAP` parameters in the affected SPDM sessions until the issue is resolved.