3 matches found
CVE-2023-43633
The CVE concerns the Pillar Eve container in EVE OS. On boot, it checks /config/GlobalConfig/global.json and, if present, overrides device configuration, enabling debug functions such as SSH via debug.enable.ssh, USB keyboard via debug.enable.usb, and VNC via app.allow.vnc. This can occur without...
CVE-2023-43634
CVE-2023-43634 relates to the EVE project: the config partition is measured for TPM PCRs used to seal/unseal the vault key. A change moved the config partition measurement from PCR 13 to PCR 14, but PCR 14 was not added to the sealing/unsealing list, making PCR 14’s measurement effectively redund...
CVE-2023-43637
The CVE describes a cryptographic weakness in EVE’s deriveVaultKey used by the vault key derivation flow. Before version 7.10, the generated 32-byte vault key was weakened because deriveVaultKey calls retrieveCloudKey (which returns a fixed 32-byte key) and then merges it with the random 32-byte ...