DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2023-43633: Trusted Boot, Untrusted Config: Breaking EVE OS Encryption (CVE-2023-43633)

#security #cve #cybersecurity

Trusted Boot, Untrusted Config: Breaking EVE OS Encryption (CVE-2023-43633)

Vulnerability ID: CVE-2023-43633
CVSS Score: 8.8
Published: 2026-02-04

A critical lapse in the Trusted Platform Module (TPM) sealing policy of LF-Edge EVE OS allowed attackers with physical access to inject malicious configurations—enabling SSH and bypassing authentication—while still successfully unsealing the disk encryption keys. It turns out that measuring the operating system kernel is useless if you don't also measure the configuration file that tells the kernel to open the front door.

TL;DR

Physical attackers can modify an unmeasured JSON config file to enable SSH and debugging features on EVE OS devices. Because the config wasn't part of the TPM sealing policy, the device still decrypts the secure vault during boot, granting the attacker root access to sensitive data. Fixed in version 9.5.0.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-522 (Insufficiently Protected Credentials)
  • CVSS v3.1: 8.8 (High)
  • Attack Vector: Physical
  • Confidentiality: High (Full Vault Access)
  • Integrity: High (System Compromise)
  • Status: Patched (Regression fixed in 9.5.0)

Affected Systems

  • LF-Edge EVE OS < 8.6.0
  • LF-Edge EVE OS 9.0.0 - 9.4.x
  • EVE OS: < 8.6.0 (Fixed in: 8.6.0)
  • EVE OS: >= 9.0.0, <= 9.4.x (Fixed in: 9.5.0)

Code Analysis

Commit: 5fef4d9

Introduced measurefs to measure config partition

Added measurefs module to GRUB config
Enter fullscreen mode Exit fullscreen mode

Commit: aa3501d

Updated DiskKeySealingPCRs to include PCR 13

DiskKeySealingPCRs = ... PCRs: []int{..., 13}}
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Upgrade EVE OS to version 9.5.0 or later immediately.
  • Implement strong physical security controls for edge devices (anti-tamper mechanisms).
  • Monitor devices for unexpected reboots or configuration changes.

Remediation Steps:

  1. Check current EVE OS version via the controller dashboard.
  2. Trigger an Over-The-Air (OTA) update to version 9.5.0.
  3. Verify that the TPM sealing policy now includes PCR 13/14 verification.

References

Read the full report for CVE-2023-43633 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)