CVE-2023-43634

Config Partition Not Protected by Measured Boot

Description

When sealing/unsealing the “vault” key, a list of PCRs is used, which defines which PCRs are used. In a previous project, CYMOTIVE found that the configuration is not protected by the secure boot, and in response Zededa implemented measurements on the config partition that was mapped to PCR 13. In that process, PCR 13 was added to the list of PCRs that seal/unseal the key. In commit “56e589749c6ff58ded862d39535d43253b249acf”, the config partition measurement moved from PCR 13 to PCR 14, but PCR 14 was not added to the list of PCRs that seal/unseal the key. This change makes the measurement of PCR 14 effectively redundant as it would not affect the sealing/unsealing of the key. An attacker could modify the config partition without triggering the measured boot, this could result in the attacker gaining full control over the device with full access to the contents of the encrypted “vault”

Category

8.8
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.03%
Third-Party Advisory asrg.io
Affected: LF-Edge, Zededa EVE OS
Published at:
Updated at:

References

Link Tags
https://asrg.io/security-advisories/cve-2023-43634/ third party advisory

Frequently Asked Questions

What is the severity of CVE-2023-43634?
CVE-2023-43634 has been scored as a high severity vulnerability.
How to fix CVE-2023-43634?
To fix CVE-2023-43634, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-43634 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2023-43634 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-43634?
CVE-2023-43634 affects LF-Edge, Zededa EVE OS.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.