CVE-2020-8918: Improper Initialization

February 11, 2022

An improperly initialized ‘migrationAuth’ value in Google’s go-tpm TPM1.2 library can lead an eavesdropping attacker to discover the auth value for a key created with CreateWrapKey. An attacker listening in on the channel can collect both ’encUsageAuth’ and ’encMigrationAuth’, and then can calculate ‘usageAuth ^ encMigrationAuth’ as the ‘migrationAuth’ can be guessed for all keys created with CreateWrapKey. TPM2.0 is not impacted by this. We recommend updating your library to or later, or, if you cannot update, to call CreateWrapKey with a random value for ‘migrationAuth’.

References

github.com/advisories/GHSA-5x29-3hr9-6wpw
github.com/google/go-tpm/pull/195
github.com/google/go-tpm/security/advisories/GHSA-5x29-3hr9-6wpw
nvd.nist.gov/vuln/detail/CVE-2020-8918

Detect and mitigate CVE-2020-8918 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →