You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
CVE-2024-29038: tpm2_checkquote: Fix check of magic number. It was not checked whether the magic number in the attest is equal to TPM2_GENERATED_VALUE. So an malicious attacker could generate arbitrary quote data which was not detected by tpm2 checkquote.
CVE-2024-29039: tpm2_checkquote: Add comparison of pcr selection. The pcr selection which is passed with the --pcr parameter it not compared with the attest. So it's possible to fake a valid
attestation.
CVE-2024-29040: FAPI: Fix check of magic number in verify quote. After deserializing the quote info it was not checked whether the magic number in the attest is equal TPM2_GENERATED_VALUE. So an malicious attacker could generate arbitrary quote data
which was not detected by Fapi_VerifyQuote. Now the number magic number is checket in verify quote and also in the deserialization of TPM2_GENERATED. The check is also added to the Unmarshal function for TPMS_ATTEST.
Name: tpm2-{tools,tss}
CVEs: CVE-2024-29038, CVE-2024-29039, CVE-2024-29040
CVSSs: 4.3, 9.0, 4.3
Action Needed: update tpm2-tools to >= 5.6.1, tpm2-tss to >= 4.0.2
Summary:
attestation.
which was not detected by Fapi_VerifyQuote. Now the number magic number is checket in verify quote and also in the deserialization of TPM2_GENERATED. The check is also added to the Unmarshal function for TPMS_ATTEST.
refmap.gentoo: CVE-2024-2903[89]: https://bugs.gentoo.org/931056, CVE-2024-29040: https://bugs.gentoo.org/931055
The text was updated successfully, but these errors were encountered: