CVE-2023-38201: 
Python vulnerability analysis and mitigation

A security vulnerability (CVE-2023-38201) was discovered in the Keylime registrar that could allow a bypass of the challenge-response protocol during agent registration. The vulnerability affects Keylime versions prior to 7.5.0 and was disclosed on August 23, 2023. The issue impacts the Keylime TPM-based remote boot attestation and runtime integrity measurement solution (GitHub Advisory).

The vulnerability allows an attacker to bypass the challenge-response protocol used to verify that an agent has access to an Attestation Identity Key (AIK) related to the Endorsement Key (EK). When receiving an incorrect authtag from the agent during activation, the registrar responds with an error message containing the expected correct authtag. An attacker could record this correct auth_tag from the HTTP error message and perform the activate call again with the captured value. The vulnerability has a CVSS v3.1 base score of 6.5 (Medium) with vector: AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N (NVD).

The vulnerability allows an attacker to register an agent with a valid EK Certificate but with a compromised/unrelated AIK. This could result in the attacker being able to impersonate an agent and hide the true status of a monitored machine if the fake agent is added to the verifier list by a legitimate user, leading to a breach of the integrity of the registrar database (GitHub Advisory).

Users should upgrade to Keylime version 7.5.0 or later which contains the fix for this vulnerability. The patch ensures deletion of an agent's record from the database in case of failure after a single attempt and removes the exposure of the auth_tag in error messages (GitHub Commit, Red Hat Advisory).