CVE-2023-38201

Name of the Vulnerable Software and Affected Versions Keylime versions prior to 7.5.0

Description A flaw was found in the Keylime registrar that could allow a bypass of the challenge-response protocol during agent registration. This issue may allow an attacker to impersonate an agent and hide the true status of a monitored machine if the fake agent is added to the verifier list by a legitimate user, resulting in a breach of the integrity of the registrar database. The security issue allows an attacker to pass the challenge-response protocol during registration with arbitrary registration data, including a valid EK Certificate and EK, while using a compromised AIK. The attacker can deliberately fail the initial activation call to get to know the correct auth tag and then provide it in a subsequent activation call, resulting in an agent which is incorrectly registered with a valid EK Certificate, but with a compromised/unrelated AIK.

Recommendations For versions prior to 7.5.0, users should upgrade to release 7.5.0 to resolve the issue. As a temporary workaround, consider restricting access to the registrar to minimize the risk of exploitation. Avoid using compromised AIKs in the registration process until the issue is resolved.