CVE-2023-43637: EVE Has Partially Predetermined Vault Key
The deriveVaultKey function calls retrieveCloudKey which always returns “foobarfoobarfoobarfoobarfoobarfo”. When merged with the randomly generated 32-byte key using mergeKeys (16 bytes from each), the last 16 bytes are always “arfoobarfoobarfo”. This enables an attacker with physical access to the EVE-OS device to attempt to brute force the remaining 128 bits of key.
References
- asrg.io/security-advisories/cve-2023-43637
- asrg.io/security-advisories/vault-key-partially-predetermined
- github.com/advisories/GHSA-g7vp-j25f-h34p
- github.com/lf-edge/eve
- github.com/lf-edge/eve/commit/c0c966dc31e2ed9aafc155e6be646adb14756c01
- github.com/lf-edge/eve/security/advisories/GHSA-g7vp-j25f-h34p
- nvd.nist.gov/vuln/detail/CVE-2023-43637
Code Behaviors & Features
Detect and mitigate CVE-2023-43637 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →