CVE-2023-43634: Trust Issues: Bypassing EVE OS Measured Boot via PCR Amnesia

Trust Issues: Bypassing EVE OS Measured Boot via PCR Amnesia

Vulnerability ID: CVE-2023-43634
CVSS Score: 8.8
Published: 2026-02-04

A critical oversight in the EVE OS Trusted Platform Module (TPM) implementation allowed attackers to bypass Measured Boot protections. By failing to include Platform Configuration Register (PCR) 14 in the sealing policy, the system permitted unauthorized modifications to the configuration partition without locking the encryption keys.

TL;DR

EVE OS developers moved the configuration partition measurement to TPM PCR 14 but forgot to tell the TPM to check it. Attackers can modify system configs (like SSH keys) without preventing the device from unlocking its encrypted vault.

---

Technical Details

• CVE ID: CVE-2023-43634
• CVSS: 8.8 (High)
• CWE: CWE-922 (Insecure Storage)
• Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
• Attack Vector: Local (Physical/Storage)
• Hash Upgrade: SHA1 -> SHA256

Affected Systems

• EVE OS < 8.6.0
• EVE OS 9.0.0 < 9.5.0
• EVE OS: < 8.6.0 (Fixed in: 8.6.0)
• EVE OS: >= 9.0.0 < 9.5.0 (Fixed in: 9.5.0)

Code Analysis

Commit: d9383a7

Fix: add PCR 14 to sealing PCRs and switch to SHA256

DiskKeySealingPCRs = tpm2.PCRSelection{Hash: tpm2.AlgSHA256, PCRs: []int{0, 1, 2, 3, 4, 6, 7, 8, 9, 13, 14}}

Mitigation Strategies

• Implement strict TPM policy validation in CI/CD pipelines.
• Physically secure edge devices to prevent 'Evil Maid' attacks.
• Enable remote attestation to verify PCR values server-side.

Remediation Steps:

1. Upgrade EVE OS to version 8.6.0 or 9.5.0 immediately.
2. Trigger a key re-sealing process to apply the new PCR policy.
3. Verify the TPM is using SHA256 banks instead of SHA1.

References

• ASRG Security Advisory
• NVD Detail

---

Read the full report for CVE-2023-43634 on our website for more details including interactive diagrams and full exploit analysis.