logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-w3vw-ccc5-qr8v tss-esapi

Package

Manager: cargo
Name: tss-esapi
Vulnerable Version: >=7.0.0 <7.1.0 || >=0 <6.1.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H/E:F/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Use After Free in Context::start_auth_session ### Impact **This issue only applies to applications starting authorization sessions using an explicit initial `nonce`.** When [`Context::start_auth_session`](https://docs.rs/tss-esapi/7.0.1/tss_esapi/struct.Context.html#method.start_auth_session) was called with a `nonce` argument value of `Some(...)`, the nonce pointer passed down through FFI to `Esys_StartAuthSession` would be a dangling pointer, left over from a defunct instance of `TPM2B_NONCE`. This could lead to an incorrect value being used as a nonce, though whether that value is controllable is unclear (so should be assumed as possible). The error became apparent due to changes in v1.61.0 of the Rust compiler. Logs indicating a failure due to this issue (with the 1.61.0 version of the Rust toolchain) look as follows: ``` 2022-05-24T01:04:41.9131341Z WARNING:esys:src/tss2-esys/api/Esys_StartAuthSession.c:390:Esys_StartAuthSession_Finish() Received TPM Error 2022-05-24T01:04:41.9132192Z ERROR:esys:src/tss2-esys/api/Esys_StartAuthSession.c:136:Esys_StartAuthSession() Esys Finish ErrorCode (0x000001d5) 2022-05-24T01:04:41.9145124Z [2022-05-24T01:04:41Z ERROR tss_esapi::context::tpm_commands::session_commands] Error when creating a session: structure is the wrong size (associated with parameter number 1) 2022-05-24T01:04:41.9153816Z thread 'main' panicked at 'Call to start_auth_session failed: Tss2Error(FormatOne(FormatOneResponseCode { .0: 469, error_number: 21, parameter: true, format_selector: true, number: 1 }))', tss-esapi/tests/integration_tests/context_tests/tpm_commands/enhanced_authorization_ea_commands_tests.rs:870:14 ``` ### Patches The issue has been patched in versions 6 and 7 of the `tss-esapi` crate. Please update to `7.1.0` or `6.1.2`. ### Workarounds There is no workaround that achieves the same functionality. ### References For more information on the cause of the issue and the fix, see [this](https://github.com/parallaxsecond/rust-tss-esapi/pull/344) PR. For more details about the `TPM2_StartAuthSession` command see section 11.1 of [the TPM spec, part 3](https://trustedcomputinggroup.org/wp-content/uploads/TCG_TPM2_r1p59_Part3_Commands_pub.pdf), and section 19.6.3 of [part 1 of the same spec](https://trustedcomputinggroup.org/wp-content/uploads/TCG_TPM2_r1p59_Part1_Architecture_pub.pdf) for more information regarding session nonces. ### For more information If you have any questions or comments about this advisory: * Open an issue or discussion in [our repo](https://github.com/parallaxsecond/rust-tss-esapi) * Get in touch on [our Slack channel](https://github.com/parallaxsecond/community#community-channel)

Metadata

Created: 2022-06-17T01:17:41Z
Modified: 2022-06-17T01:17:41Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-w3vw-ccc5-qr8v/GHSA-w3vw-ccc5-qr8v.json
CWE IDs: []
Alternative ID: N/A
Finding: F111
Auto approve: 1