Step CA Index Out-of-Bounds Panic Vulnerability via Crafted AK Certificate in TPM Attestation

A vulnerability in Step CA versions 0.24.0 prior to 0.30.0-rc3 allows an attacker to cause an index out-of-bounds panic by sending a crafted attestation key (AK) certificate with an empty Extended Key Usage (EKU) extension during TPM device attestation. This issue arises because Step CA expects the AK certificate to include the tcg-kp-AIKCertificate EKU OID. The validation process decodes the EKU extension from ASN.1, and a certificate with an empty EKU sequence can lead to a panic when the code attempts to access the first element of the slice. This vulnerability is only exploitable when a device-attest-01 ACME challenge with TPM attestation is active; deployments not using TPM attestation are unaffected.

Impact

Exploitation of this vulnerability leads to an index out-of-bounds panic, causing a denial of service by crashing the application.

Reproduction

To reproduce this vulnerability, configure an ACME provisioner in Step CA to use TPM device attestation. Then, send a device-attest-01 challenge with a crafted AK certificate that has an empty EKU extension. The application will panic due to the empty EKU sequence, demonstrating the vulnerability.

Remediation

Step CA users can upgrade to version 0.30.0 or later to address this vulnerability. If an upgrade is not possible, remove or disable any ACME provisioners that use TPM device attestation.