Update Your libspdm Implementation to Patch Critical Vulnerability

CVECVE-2023-31127
CVSScvssV3_1: 9.1
SourceCVE-2023-31127

Libspdm is an open source implementation of the SPDM specifications for establishing cryptographic sessions. A critical vulnerability was discovered that could allow attackers to bypass mutual authentication when establishing SPDM sessions.

The vulnerability exists when the libspdm responder supports both DHE key exchange and PSK authentication with mutual auth turned on. An attacker could initiate a session using DHE, but finish authentication using PSK_FINISH instead. This would normally cause the session hashes to fail verification, but libspdm was not properly checking for this condition.

This leaves devices running older versions of libspdm vulnerable to man-in-the-middle attacks, as attackers could establish sessions without both sides authenticating to each other. Versions 1.0 through 2.2 are all impacted.

If you use libspdm in your products, it is highly recommended to upgrade to the latest 2.3.1 release which patches this issue. You should also consider mutual authentication a requirement in your SPDM configurations to prevent similar bypass attempts in the future. Staying on top of software updates is critical for security, so be sure to have processes in place to rapidly deploy any announced patches.

References