{"vulnerability": "CVE-2023-4363", "sightings": [{"uuid": "c73bb646-093f-42af-aec7-c03fb0daf85a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-43634", "type": "seen", "source": "https://gist.github.com/alon710/e906ef12237a848004f9c83861a63189", "content": "", "creation_timestamp": "2026-02-04T22:10:05.000000Z"}, {"uuid": "ba07fa9a-46a4-49d8-96c4-bb610a4883af", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-4363", "type": "seen", "source": "https://t.me/cibsecurity/68588", "content": "\u203c CVE-2023-4363 \u203c\n\nInappropriate implementation in WebShare in Google Chrome on Android prior to 116.0.5845.96 allowed a remote attacker to spoof the contents of a dialog URL via a crafted HTML page. (Chromium security severity: Medium)\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-08-15T22:36:46.000000Z"}, {"uuid": "3358e6e5-99fe-4f0a-aaa3-39c49ba0bfa3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-43637", "type": "seen", "source": "https://t.me/cibsecurity/70895", "content": "\u203c CVE-2023-43637 \u203c\n\nDue to the implementation of \"deriveVaultKey\", prior to version 7.10, the generated vault keywould always have the last 16 bytes predetermined to be \"arfoobarfoobarfo\".This issue happens because \"deriveVaultKey\" calls \"retrieveCloudKey\" (which will alwaysreturn \"foobarfoobarfoobarfoobarfoobarfo\" as the key), and then merges the 32byterandomly generated key with this key (by takeing 16bytes from each, see \"mergeKeys\").This makes the key a lot weaker.This issue does not persist in devices that were initialized on/after version 7.10, but devicesthat were initialized before that and updated to a newer version still have this issue.Roll an update that enforces the full 32bytes key usage.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-09-21T18:31:07.000000Z"}, {"uuid": "9797b0cc-862f-404b-bdac-1e8f596e8992", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-43631", "type": "seen", "source": "https://t.me/cibsecurity/70894", "content": "\u203c CVE-2023-43631 \u203c\n\nOn boot, the Pillar eve container checks for the existence and content of\u00e2\u20ac\u0153/config/authorized_keys\u00e2\u20ac\ufffd.If the file is present, and contains a supported public key, the container will go on to openport 22 and enable sshd with the given keys as the authorized keys for root login.An attacker could easily add their own keys and gain full control over the system withouttriggering the \u00e2\u20ac\u0153measured boot\u00e2\u20ac\ufffd mechanism implemented by EVE OS, and without markingthe device as \u00e2\u20ac\u0153UUD\u00e2\u20ac\ufffd (\u00e2\u20ac\u0153Unknown Update Detected\u00e2\u20ac\ufffd).This is because the \u00e2\u20ac\u0153/config\u00e2\u20ac\ufffd partition is not protected by \u00e2\u20ac\u0153measured boot\u00e2\u20ac\ufffd, it is mutable, andit is not encrypted in any way.An attacker can gain full control over the device without changing the PCR values, thus nottriggering the \u00e2\u20ac\u0153measured boot\u00e2\u20ac\ufffd mechanism, and having full access to the vault.Note:This issue was partially fixed in these commits (after disclosure to Zededa), where the configpartition measurement was added to PCR13:\u00e2\u20ac\u00a2 aa3501d6c57206ced222c33aea15a9169d629141\u00e2\u20ac\u00a2 5fef4d92e75838cc78010edaed5247dfbdae1889.This issue was made viable in version 9.0.0 when the calculation was moved to PCR14 but it was not included in the measured boot.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-09-21T18:31:06.000000Z"}, {"uuid": "104ea24c-7a8b-405e-9336-9c36c2ab4d2e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-43632", "type": "seen", "source": "https://t.me/cibsecurity/70893", "content": "\u203c CVE-2023-43632 \u203c\n\nAs noted in the \u00e2\u20ac\u0153VTPM.md\u00e2\u20ac\ufffd file in the eve documentation, \u00e2\u20ac\u0153VTPM is a server listening on port8877 in EVE, exposing limited functionality of the TPM to the clients. VTPM allows clients toexecute tpm2-tools binaries from a list of hardcoded options\u00e2\u20ac\ufffdThe communication with this server is done using protobuf, and the data is comprised of 2parts:1. Header2. DataWhen a connection is made, the server is waiting for 4 bytes of data, which will be the header,and these 4 bytes would be parsed as uint32 size of the actual data to come.Then, in the function \u00e2\u20ac\u0153handleRequest\u00e2\u20ac\ufffd this size is then used in order to allocate a payload onthe stack for the incoming data.As this payload is allocated on the stack, this will allow overflowing the stack size allocated forthe relevant process with freely controlled data.* An attacker can crash the system. * An attacker can gain control over the system, specifically on the \u00e2\u20ac\u0153vtpm_server\u00e2\u20ac\ufffd processwhich has very high privileges.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-09-21T18:31:05.000000Z"}, {"uuid": "83d0bc4e-765e-4e64-a890-1cbb5e7dddca", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-43634", "type": "seen", "source": "https://t.me/cibsecurity/70896", "content": "\u203c CVE-2023-43634 \u203c\n\nWhen sealing/unsealing the \u00e2\u20ac\u0153vault\u00e2\u20ac\ufffd key, a list of PCRs is used, which defines which PCRsare used.In a previous project, CYMOTIVE found that the configuration is not protected by the secureboot, and in response Zededa implemented measurements on the config partition that wasmapped to PCR 13.In that process, PCR 13 was added to the list of PCRs that seal/unseal the key.In commit \u00e2\u20ac\u015356e589749c6ff58ded862d39535d43253b249acf\u00e2\u20ac\ufffd, the config partitionmeasurement moved from PCR 13 to PCR 14, but PCR 14 was not added to the list ofPCRs that seal/unseal the key.This change makes the measurement of PCR 14 effectively redundant as it would not affectthe sealing/unsealing of the key.An attacker could modify the config partition without triggering the measured boot, this couldresult in the attacker gaining full control over the device with full access to the contents of theencrypted \u00e2\u20ac\u0153vault\u00e2\u20ac\ufffd\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-09-21T18:31:08.000000Z"}, {"uuid": "261e4802-134c-435d-a014-96ad5c47ed83", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-43633", "type": "seen", "source": "https://t.me/cibsecurity/70899", "content": "\u203c CVE-2023-43633 \u203c\n\nOn boot, the Pillar eve container checks for the existence and content of\u00e2\u20ac\u0153/config/GlobalConfig/global.json\u00e2\u20ac\ufffd.If the file exists, it overrides the existing configuration on the device on boot.This allows an attacker to change the system\u00e2\u20ac\u2122s configuration, which also includes somedebug functions.This could be used to unlock the ssh with custom \u00e2\u20ac\u0153authorized_keys\u00e2\u20ac\ufffd via the\u00e2\u20ac\u0153debug.enable.ssh\u00e2\u20ac\ufffd key, similar to the \u00e2\u20ac\u0153authorized_keys\u00e2\u20ac\ufffd finding that was noted before.Other usages include unlocking the usb to enable the keyboard via the \u00e2\u20ac\u0153debug.enable.usb\u00e2\u20ac\ufffdkey, allowing VNC access via the \u00e2\u20ac\u0153app.allow.vnc\u00e2\u20ac\ufffd key, and more.An attacker could easily enable these debug functionalities without triggering the \u00e2\u20ac\u0153measuredboot\u00e2\u20ac\ufffd mechanism implemented by EVE OS, and without marking the device as \u00e2\u20ac\u0153UUD\u00e2\u20ac\ufffd(\u00e2\u20ac\u0153Unknown Update Detected\u00e2\u20ac\ufffd).This is because the \u00e2\u20ac\u0153/config\u00e2\u20ac\ufffd partition is not protected by \u00e2\u20ac\u0153measured boot\u00e2\u20ac\ufffd, it is mutable and itis not encrypted in any way.An attacker can gain full control over the device without changing the PCR values, thereby nottriggering the \u00e2\u20ac\u0153measured boot\u00e2\u20ac\ufffd mechanism, and having full access to the vault.Note:This issue was partially fixed in these commits (after disclosure to Zededa), where the configpartition measurement was added to PCR13:\u00e2\u20ac\u00a2 aa3501d6c57206ced222c33aea15a9169d629141\u00e2\u20ac\u00a2 5fef4d92e75838cc78010edaed5247dfbdae1889.This issue was made viable in version 9.0.0 when the calculation was moved to PCR14 but it was not included in the measured boot.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-09-21T18:31:11.000000Z"}, {"uuid": "8d70f401-9a32-47a3-8dc8-1885303f9166", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-43633", "type": "seen", "source": "https://gist.github.com/alon710/607362935c66cd5c9117878534849de3", "content": "", "creation_timestamp": "2026-02-04T22:40:05.000000Z"}]}