Impact
The Keylime registrar implemented more strict type checking on version 7.12.0. As a result, when updated to version 7.12.0, the registrar will not accept the format of the data previously stored in the database by versions >= 7.8.0, raising an exception.
This makes the Keylime registrar vulnerable to a Denial-of-Service attack in an update scenario, as an attacker could populate the registrar database by creating multiple valid agent registrations with different UUIDs while the version is still < 7.12.0. Then, when the Keylime registrar is updated to the 7.12.0 version, any query to the database matching any of the entries populated by the attacker will result in failure.
Patches
Users should upgrade to versions >= 7.12.1
Workarounds
- Remove the registrar database and re-register all agents
Credit
Reported by: Anderson Toshiyuki Sasaki/@ansasaki
Patched by: Anderson Toshiyuki Sasaki/@ansasaki
References
ansasaki Remediation developer
Impact
The Keylime
registrarimplemented more strict type checking on version 7.12.0. As a result, when updated to version 7.12.0, theregistrarwill not accept the format of the data previously stored in the database by versions >= 7.8.0, raising an exception.This makes the Keylime
registrarvulnerable to a Denial-of-Service attack in an update scenario, as an attacker could populate theregistrardatabase by creating multiple valid agent registrations with different UUIDs while the version is still < 7.12.0. Then, when the Keylimeregistraris updated to the 7.12.0 version, any query to the database matching any of the entries populated by the attacker will result in failure.Patches
Users should upgrade to versions >= 7.12.1
Workarounds
Credit
Reported by: Anderson Toshiyuki Sasaki/@ansasaki
Patched by: Anderson Toshiyuki Sasaki/@ansasaki
References