GO-2021-0095

Source

https://pkg.go.dev/vuln/GO-2021-0095

Import Source

https://vuln.go.dev/ID/GO-2021-0095.json

Aliases

CVE-2020-8918
GHSA-5x29-3hr9-6wpw

Published

2021-04-14T20:04:52Z

Modified

2023-11-08T04:04:19.342810Z

Details

Due to repeated usage of a XOR key an attacker that can eavesdrop on the TPM 1.2 transport is able to calculate usageAuth for keys created using CreateWrapKey, despite it being encrypted, allowing them to use the created key.

References

https://github.com/google/go-tpm/pull/195
https://github.com/google/go-tpm/commit/d7806cce857a1a020190c03348e5361725d8f141

Affected packages

Go / github.com/google/go-tpm

Package

Name: github.com/google/go-tpm

Affected ranges

Type: SEMVER
Events: Introduced

0The exact introduced commit is unknown

Fixed

0.3.0

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/google/go-tpm/tpm",
            "symbols": [
                "CreateWrapKey"
            ]
        }
    ]
}