CVE-2021-3446
Published: 25 March 2021
A flaw was found in libtpms in versions before 0.8.2. The commonly used integration of libtpms with OpenSSL contained a vulnerability related to the returned IV (initialization vector) when certain symmetric ciphers were used. Instead of returning the last IV it returned the initial IV to the caller, thus weakening the subsequent encryption and decryption steps. The highest threat from this vulnerability is to data confidentiality.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
libtpms Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| groovy |
Ignored
(end of life)
|
|
| hirsute |
Ignored
(end of life)
|
|
| impish |
Not vulnerable
(0.8.2-1ubuntu1)
|
|
| jammy |
Not vulnerable
(0.9.3-0ubuntu1)
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(0.8.2)
|
|
| xenial |
Does not exist
|
|
|
Patches: upstream: https://github.com/stefanberger/libtpms/commit/32c159ab53db703749a8f90430cdc7b20b00975e |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 5.5 |
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |