VDB
CVE-2023-43637
CVE-2023-43637
PUBLISHED
CVSS 7.800000190734863 HIGH
Due to the implementation of "deriveVaultKey", prior to version 7.10, the generated vault key would always have the last 16 bytes predetermined to be "arfoobarfoobarfo". This issue happens because "deriveVaultKey" calls "retrieveCloudKey" (which will always return "foobarfoobarfoobarfoobarfoobarfo" as the key), and then merges the 32byte randomly generated key with this key (by takeing 16bytes from each, see "mergeKeys"). This makes the key a lot weaker. This issue does not persist in devices that were initialized on/after version 7.10, but devices that were initialized before that and updated to a newer version still have this issue. Roll an update that enforces the full 32bytes key usage.
EPSS 0.03% · 8.2th percentile
Risk Scores
CVSS v3.1
7.800000190734863
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score
0.03%
8.2th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| lfedge | eve | 0, 0 |
| github.com | lf-edge/eve | 0, 0 |
| linuxfoundation | edge_virtualization_engine | 0, 0 |
| LF-Edge, Zededa | EVE OS | 0, 0 |
Timeline
- Sep 21, 2023 CVE Published
- Sep 21, 2023 PoC Published
- Sep 22, 2023 EPSS Score
- Oct 24, 2023 EPSS Score
- Nov 25, 2023 EPSS Score
- Dec 27, 2023 EPSS Score
- Jan 28, 2024 EPSS Score
- Feb 29, 2024 EPSS Score
- Apr 1, 2024 EPSS Score
- May 3, 2024 EPSS Score
- Jun 4, 2024 EPSS Score
- Jul 6, 2024 EPSS Score
References
- https://asrg.io/security-advisories/cve-2023-43637/ url
- https://github.com/lf-edge/eve/security/advisories/GHSA-g7vp-j25f-h34p url
- https://nvd.nist.gov/vuln/detail/CVE-2023-43637 advisory
- https://github.com/lf-edge/eve/commit/c0c966dc31e2ed9aafc155e6be646adb14756c01 url
- https://asrg.io/security-advisories/cve-2023-43637 url
- https://asrg.io/security-advisories/vault-key-partially-predetermined url
- https://github.com/lf-edge/eve package