DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-27JC-JMP8-QFW5: Trust No One (Except Everyone): The Keylime mTLS Bypass

#security #cve #cybersecurity

Trust No One (Except Everyone): The Keylime mTLS Bypass

Vulnerability ID: GHSA-27JC-JMP8-QFW5
CVSS Score: 9.4
Published: 2026-02-06

For a framework dedicated to establishing the Root of Trust in hostile cloud environments, Keylime briefly forgot to verify who was knocking at the door. A critical misconfiguration in the Registrar component turned mandatory mutual TLS (mTLS) into a polite suggestion, allowing unauthenticated attackers to manipulate the attestation database.

TL;DR

Keylime's Registrar component (v7.12.x-7.13.0) explicitly set SSL verification to 'Optional', effectively disabling mTLS authentication. Attackers could list, query, and delete TPM agent registrations without credentials.

⚠️ Exploit Status: POC

Technical Details

  • CVE: CVE-2026-1709
  • CVSS v3.1: 9.4 (Critical)
  • CWE: CWE-287 (Improper Authentication)
  • Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Platform: Python (Tornado/SSL)
  • Impact: Auth Bypass / DoS

Affected Systems

  • Keylime Registrar
  • keylime: >= 7.12.0, < 7.12.2 (Fixed in: 7.12.2)
  • keylime: == 7.13.0 (Fixed in: 7.13.1)

Code Analysis

Commit: e06bbfc

Fix mTLS authentication bypass by removing CERT_OPTIONAL override

@@ -252,7 +251,6 @@ def _use_config(self, component: str) -> None:
         self._ssl_ctx = web_util.init_mtls(component)
-        self._ssl_ctx.verify_mode = CERT_OPTIONAL
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Manual: Exploitation involves using standard TLS clients (curl, python-requests) without client certificates.

Mitigation Strategies

  • Upgrade Keylime packages immediately.
  • Implement strict firewall rules for the Registrar API port (8891).
  • Use a reverse proxy to enforce mTLS if patching is delayed.

Remediation Steps:

  1. Check installed version: pip show keylime
  2. If version is 7.12.0, 7.12.1, or 7.13.0, perform upgrade.
  3. Run: pip install --upgrade keylime
  4. Restart the keylime_registrar service: systemctl restart keylime_registrar
  5. Verify fix by attempting a curl request without a client certificate (should fail).

References

Read the full report for GHSA-27JC-JMP8-QFW5 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)