Keylime Authentication Bypass Vulnerability in Registrar Allowing Unauthorized Administrative Operations

An authentication bypass vulnerability has been identified in the Keylime registrar, affecting versions 7.12.0 and later. The issue arises because the registrar does not enforce client-side Transport Layer Security (TLS) authentication, allowing unauthenticated clients with network access to perform administrative tasks. These tasks include listing agents, retrieving public Trusted Platform Module (TPM) data, and deleting agents, all by connecting without a client certificate. Exploitation requires direct network access to the registrar's HTTPS port, which defaults to 8891.

Impact

Exploitation of this vulnerability allows unauthorized clients to perform administrative operations on the Keylime registrar, including managing agents and accessing sensitive TPM data.

Reproduction

To reproduce this vulnerability, connect to the Keylime registrar's HTTPS port (default 8891) using a standard HTTP client, such as curl or wget. No client certificate, credentials, or special tools are required. Once connected, administrative operations can be performed, such as listing agents, retrieving public TPM data, or deleting agents.

Remediation

To address this vulnerability, network access to the Keylime registrar's HTTPS port should be restricted to trusted verifier and tenant hosts using firewall rules. Alternatively, a reverse proxy, such as Nginx or HAProxy, can be deployed in front of the registrar to enforce client certificate authentication. After making changes to firewall rules or proxy configurations, ensure that the changes are applied by reloading the rules or restarting the relevant services.