CVE-2023-31127

Name of the Vulnerable Software and Affected Versions libspdm versions 1.0 through 2.3

Description A vulnerability has been identified in SPDM session establishment in libspdm. If a device supports both DHE session and PSK session with mutual authentication, an attacker may be able to establish the session with KEY EXCHANGE and PSK FINISH to bypass the mutual authentication. This issue only impacts the SPDM responder, which supports KEY EX CAP=1 and PSK CAP=10b at the same time with mutual authentication requirement. The SPDM responder is not impacted if KEY EX CAP=0 or PSK CAP=0 or PSK CAP=01b, or if mutual authentication is not required.

Recommendations For libspdm versions 1.0 through 2.3, update to version 2.3.1 or later to resolve the issue. As a temporary workaround, consider disabling the KEY EXCHANGE and PSK FINISH functions until a patch is available. Restrict access to the SPDM responder to minimize the risk of exploitation. Avoid using the KEY EX CAP and PSK CAP parameters in the affected SPDM sessions until the issue is resolved.