Keylime Hardcoded Nonce Vulnerability in Verifier Allows TPM Quote Replay

A vulnerability exists in the Keylime verifier due to the use of a hardcoded challenge nonce for Trusted Platform Module (TPM) quote attestation, rather than a cryptographically random value. This flaw allows an attacker with root access on an enrolled monitored machine, where the Keylime agent operates, to collect valid TPM quotes and replay them to avoid detection after compromising the system. This issue is present only in push model deployments.

Impact

Exploitation of this vulnerability can lead to a security bypass, allowing attackers to evade detection after compromising a system by replaying previously collected TPM quotes.

Reproduction

To reproduce this vulnerability, an attacker must have root access on a monitored machine with an enrolled Keylime agent. The attacker can stop the Keylime agent and use the tpm2_quote command to collect TPM quotes, taking advantage of the known nonce during the push attestation timeout window, which defaults to 10 seconds. After generating the quotes, the attacker can restart a replacement Keylime agent before the timeout expires and then compromise the system. Each quoted TPM quote can only be used once, due to a clock monotonicity check that prevents reuse.

Remediation

The vulnerability has been fixed in Keylime by changing the nonce generation to use a cryptographically random value instead of a hardcoded one. Users should update to the latest version of Keylime to apply this fix.