github.com/google/go-attestation is vulnerable to insecure remote attestation. The use code generated from Platform Configuration Register (PCR) in trusted platform module (TPM) allows a local attacker who performs TCG log in Eventlog.Verify
to spoof events in the TCG log and bypassing the method AKPublic.Verify
to defeat remotely attested measured-boot.
CPE | Name | Operator | Version |
---|---|---|---|
github.com/google/go-attestation | le | v0.3.2 | |
github.com/google/go-attestation | le | v0.3.2 |