SCA: security update for keylime (GHSA-jf66-3q76-h5p5)

critical Tenable Cloud Security Plugin ID 416309

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Keylime does not enforce that the agent registrar data is the same when the tenant uses it for validation
of the EK and identity quote and the verifier for validating the integrity quote. This allows an attacker
to use one AK, EK pair from a real TPM to pass EK validation and give the verifier an AK of a software
TPM. A successful attack breaks the entire chain of trust because a not validated AK is used by the
verifier. This issue is worse if the validation happens first and then the agent gets added to the
verifier because the timing is easier and the verifier does not validate the regcount entry being equal to
1, (CVE-2022-1053)

Solution

Update the keylime library and its related packages to version 6.4.0 or later.

See Also

https://github.com/advisories/GHSA-jf66-3q76-h5p5

Plugin Details

Severity: Critical

ID: 416309

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.04

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 4.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2022-1053

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Critical

Base Score: 9.3

Threat Score: 8

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/5/2022

Vulnerability Publication Date: 5/5/2022

Reference Information

CVE: CVE-2022-1053

cwe: CWE-20