CVE-2024-29038: 
Alma Linux vulnerability analysis and mitigation

A vulnerability was discovered in tpm2-tools, the source repository for the Trusted Platform Module (TPM2.0) tools, where a malicious attacker can generate arbitrary quote data which is not detected by tpm2 checkquote. The vulnerability was identified as CVE-2024-29038 and was patched in version 5.7 (GitHub Release, NVD).

The vulnerability stems from a missing check of the TPMGENERATEDVALUE in the quote verification process. According to the Trusted Platform Module Library specification, an entity checking an attestation made by an AK must verify that the message signed begins with TPMGENERATEDVALUE (0xFF544347) to ensure the message is indeed a TPM-generated quote. The tpm2 checkquote tool failed to implement this verification check. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N (GitHub Advisory).

The vulnerability allows an attacker to create arbitrary quote data, have it signed by the TPM, and send it to the attester without detection. This means the verifier can receive a state which does not represent the actual, possibly malicious state of the device under test. The impact depends on the further actions of the falsely successful attestation process, potentially allowing malicious devices to gain unauthorized access to data or services (GitHub Advisory).

The vulnerability has been patched in tpm2-tools versions 5.5.1, 5.6.1, and 5.7. The fix implements a check to verify whether the magic value of the quote data matches TPMGENERATEDVALUE, similar to the existing check in tpm2_print (GitHub Release, Red Hat Advisory).