CVE-2021-3565

NameCVE-2021-3565
DescriptionA flaw was found in tpm2-tools in versions before 5.1.1 and before 4.3.2. tpm2_import used a fixed AES key for the inner wrapper, potentially allowing a MITM attacker to unwrap the inner portion and reveal the key being imported. The highest threat from this vulnerability is to data confidentiality.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs989148

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tpm2-tools (PTS)buster3.1.3-2fixed
bookworm, sid, bullseye5.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tpm2-toolssourcebuster(not affected)
tpm2-toolssource(unstable)5.0-2989148

Notes

[buster] - tpm2-tools <not-affected> (Vulnerable code not present)
https://bugzilla.redhat.com/show_bug.cgi?id=1964427
https://github.com/tpm2-software/tpm2-tools/issues/2738
https://github.com/tpm2-software/tpm2-tools/commit/c069e4f179d5e6653a84fb236816c375dca82515

Search for package or bug name: Reporting problems