Flozilla

**Name of the Vulnerable Software and Affected Versions** Keylime versions prior to 7.5.0 **Description** A flaw was found in the Keylime registrar that could allow a bypass of the challenge-response protocol during agent registration. This issue may allow an attacker to impersonate an agent and hide the true status of a monitored machine if the fake agent is added to the verifier list by a legitimate user, resulting in a breach of the integrity of the registrar database. The security issue allows an attacker to pass the challenge-response protocol during registration with arbitrary registration data, including a valid EK Certificate and EK, while using a compromised AIK. The attacker can deliberately fail the initial activation call to get to know the correct `auth tag` and then provide it in a subsequent activation call, resulting in an agent which is incorrectly registered with a valid EK Certificate, but with a compromised/unrelated AIK. **Recommendations** For versions prior to 7.5.0, users should upgrade to release 7.5.0 to resolve the issue. As a temporary workaround, consider restricting access to the registrar to minimize the risk of exploitation. Avoid using compromised AIKs in the registration process until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Keylime versions prior to 7.4.0 **Description** A flaw was found in Keylime due to its blocking nature, making the Keylime registrar subject to a remote denial of service against its SSL connections. This allows an attacker to exhaust all available connections, preventing normal operation. The issue affects the `registrar` component, blocking further legitimate connections, but does not affect the `verifier`. The problem can be exploited by opening a connection to the TLS port, by default port `8891`, which blocks the `registrar` and prevents it from serving clients, including `agents` and `tenants`. **Recommendations** For versions prior to 7.4.0, users should upgrade to release 7.4.0 to resolve the issue. As a temporary workaround, consider restricting access to the TLS port, by default port `8891`, to minimize the risk of exploitation. Additionally, users can consider disabling the `registrar` component until the upgrade is applied.

**Name of the Vulnerable Software and Affected Versions** Squid versions prior to 4.4 **Description** The issue is related to a memory leak that can be triggered via an SNMP packet when SNMP is enabled. This can lead to a denial of service. The vulnerability is associated with the lack of resource release after its valid expiration, which can be exploited by a remote attacker to cause a service disruption. **Recommendations** For Squid versions prior to 4.4, consider disabling SNMP until a patch is available to prevent potential exploitation. Restrict access to SNMP functionality to minimize the risk of denial of service attacks.