CVE-2024-29040: 
CBL Mariner vulnerability analysis and mitigation

CVE-2024-29040 affects the TPM2 Software Stack (TSS), specifically related to the JSON Quote Info functionality. The vulnerability was discovered in versions prior to 4.1.0, where the FapiQuote and FapiVerifyQuote functions had a validation issue. The vulnerability was disclosed on June 28, 2024, affecting the TPM2 Software Stack implementation of the Trusted Computing Group's (TCG) specifications (NVD).

The vulnerability stems from improper validation of the TPM2GENERATED magic field in the TPMSATTEST structure during deserialization of JSON Quote Info. When FapiQuote returns data that is then processed by FapiVerifyQuote, any arbitrary number can be used in the JSON structure for the TPM2_GENERATED magic field, which should specifically be 0xFF544347 according to specifications. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N (NVD, GitHub Advisory).

The vulnerability allows an attacker to manipulate the verification process where the verifier can receive a state that does not represent the actual state of the device under test. This could result in a malicious device gaining unauthorized access to data or services it should not be able to access (NVD).

The vulnerability has been patched in TPM2 Software Stack version 4.1.0. Users are advised to upgrade to this version or later to address the security issue. The fix includes proper validation of the TPM2_GENERATED magic field during the quote verification process (GitHub Release).