CVE-2021-4076: 
NixOS vulnerability analysis and mitigation

A vulnerability (CVE-2021-4076) was discovered in Tang, a network-based cryptographic binding server, affecting versions 8 through 11. The flaw could result in the leak of private keys. The vulnerability was initially discovered by Twitter's Kernel and OS team during a source code audit while evaluating Tang/Clevis for their needs (GitHub PR).

The vulnerability has a CVSS v3.1 Base Score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The issue was introduced in Tang version 8 through commit 609050586e4863329d2db9b7cb73da5c09eeea2b and was fixed in version 11 via commit e82459fda10f0630c3414ed2afbc6320bb9ea7c9. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (NVD).

The vulnerability could lead to the exposure of private keys to unauthorized actors. Given the CVSS scoring, the flaw has a high impact on confidentiality while maintaining no impact on integrity and availability. As Tang is used for network-based cryptographic binding, a compromise of private keys could potentially affect the security of dependent systems (Red Hat Bugzilla).

The vulnerability was fixed in Tang version 11 by moving the signing functionality from find_by_thp() to find_jws() to ensure proper handling of signing keys and responses to queries. Users are advised to upgrade to version 11 or later to address this security issue (GitHub PR).