Arch Linux Security Advisory ASA-202106-55 ========================================== Severity: Low Date : 2021-06-22 CVE-ID : CVE-2021-3565 Package : tpm2-tools Type : man-in-the-middle Remote : No Link : https://security.archlinux.org/AVG-1986 Summary ======= The package tpm2-tools before version 5.1.1-1 is vulnerable to man-in- the-middle. Resolution ========== Upgrade to 5.1.1-1. # pacman -Syu "tpm2-tools>=5.1.1-1" The problem has been fixed upstream in version 5.1.1. Workaround ========== None. Description =========== A security issue was found in tpm2-tools before version 5.1.1. tpm2_import used a fixed AES key for the inner wrapper, potentially allowing a man-in-the-middle (MITM) attacker to unwrap the inner portion and reveal the key being imported. Impact ====== A local attacker could disclose the secret portion of a key while it is being imported into the TPM. References ========== https://bugzilla.redhat.com/show_bug.cgi?id=1964427 https://github.com/tpm2-software/tpm2-tools/issues/2738 https://github.com/tpm2-software/tpm2-tools/pull/2739 https://github.com/tpm2-software/tpm2-tools/commit/47b3b6e6fffed7080a2f1ce76... https://security.archlinux.org/CVE-2021-3565