CVE-2023-43636

Name of the Vulnerable Software and Affected Versions EVE OS versions 9.0.0 and earlier

Description The "measured boot" mechanism in EVE OS is designed to prevent a compromised device from accessing the encrypted data located in the vault. However, this mechanism does not validate the entire rootfs, allowing an attacker to edit the filesystem and gain control over the system. The default filesystem used by EVE OS is squashfs, which makes it somewhat harder for an attacker to make changes compared to an ext4 filesystem. Nevertheless, an attacker can repackage the squashfs with their changes and replace the partition altogether, potentially using the "mksquashfs" and "unsquashfs" binaries available in the "003-storage-init" container. This can be done directly on the device, enabling the attacker to gain full control over the device without changing the PCR values, thus not triggering the "measured boot" mechanism, and having full access to the vault.

Recommendations For EVE OS version 9.0.0 and earlier, consider applying the commits that add the config partition measurement to PCR13, specifically aa3501d6c57206ced222c33aea15a9169d629141 and 5fef4d92e75838cc78010edaed5247dfbdae1889, to partially fix the issue. As a temporary workaround, restrict access to the "003-storage-init" container and the "mksquashfs" and "unsquashfs" binaries to minimize the risk of exploitation.