Feb 4, 2026·6 min read·24 visits
Physical attackers can modify an unmeasured JSON config file to enable SSH and debugging features on EVE OS devices. Because the config wasn't part of the TPM sealing policy, the device still decrypts the secure vault during boot, granting the attacker root access to sensitive data. Fixed in version 9.5.0.
A critical lapse in the Trusted Platform Module (TPM) sealing policy of LF-Edge EVE OS allowed attackers with physical access to inject malicious configurations—enabling SSH and bypassing authentication—while still successfully unsealing the disk encryption keys. It turns out that measuring the operating system kernel is useless if you don't also measure the configuration file that tells the kernel to open the front door.
Edge computing is the Wild West of IT. You have expensive, sensitive boxes sitting in factories, wind turbines, and utility closets, often miles away from a security guard. To protect these devices, we rely on Measured Boot and Full Disk Encryption (FDE) backed by a Trusted Platform Module (TPM). The promise is simple: if anyone touches the hardware or tampers with the bootloader, the cryptographic measurements (PCRs) change, the TPM refuses to release the decryption key, and the device turns into a useless brick. Safe, right?
Enter CVE-2023-43633. LF-Edge EVE OS, a popular operating system for edge virtualization, had a gaping hole in this logic. While it meticulously measured the kernel and the initrd to ensure the OS code hadn't been tampered with, it completely ignored a specific configuration partition.
This is the equivalent of a bank vault that checks your retina and fingerprints (the OS code) but ignores the fact that you're holding a handwritten note saying "I am the manager, let me in" (the config file). By placing a simple JSON file on the disk, an attacker can tell the OS to drop its shields, and the TPM—oblivious to the change—happily hands over the keys to the kingdom.
To understand this failure, you have to understand TPM Sealing. You don't just "measure" software into Platform Configuration Registers (PCRs); you have to seal your secrets against those specific registers. If you measure the bootloader into PCR 4 but don't tell the TPM "Only release the key if PCR 4 matches X," then the measurement is just a number in a log, not a security control.
EVE OS has a mechanism to override global settings using a file located at /config/GlobalConfig/global.json. This feature is intended for legitimate provisioning and debugging. However, in vulnerable versions, this file resided on a partition that was either mutable or effectively ignored by the TPM's sealing policy.
Here is the logic failure:
/config partition, reads the malicious global.json, and executes instructions to enable SSH and disable authentication.The system was "secure" up until the millisecond after it decrypted the data, at which point it voluntarily surrendered to the attacker defined in the unmeasured config file.
The fix reveals exactly how simple the oversight was. In the world of Go and TPMs, everything comes down to a struct definition. The vulnerability existed because the list of PCRs used to seal the DiskKey was missing the index for the configuration measurement (PCR 13 or 14, depending on the version).
In pkg/pillar/evetpm/tpm.go, the developer defines which PCRs matter. Here is what the patch looked like for the initial fix (commit aa3501d6c57206ced222c33aea15a9169d629141):
// Before: PCR 13 (config) is ignored
DiskKeySealingPCRs = tpm2.PCRSelection{Hash: tpm2.AlgSHA1, PCRs: []int{0, 1, 2, 3, 4, 6, 7, 8, 9}}
// After: PCR 13 is enforced
DiskKeySealingPCRs = tpm2.PCRSelection{Hash: tpm2.AlgSHA1, PCRs: []int{0, 1, 2, 3, 4, 6, 7, 8, 9, 13}}But wait, it gets better. This was fixed in version 8.6.0. Then, in the 9.x branch, the developers moved the measurement to PCR 14 during a refactor... and forgot to update the sealing policy again. This regression meant that versions 9.0.0 through 9.4.x were vulnerable all over again. It's a classic case of "security by spreadsheet"—if the dev forgets to add the number to the list, the cryptography is worthless.
Exploiting this requires physical access, but for edge devices, that's part of the threat model. Here is how an attacker turns a locked box into an open book:
/config/GlobalConfig/global.json. The content is a shopping list of bad ideas:{
"debug.enable.ssh": true,
"debug.enable.usb": true,
"app.allow.vnc": true,
"authorized_keys": "ssh-rsa AAAAB3... [ATTACKER_KEY]"
}The Boot: The attacker puts the storage back and powers on the device.
The Bypass:
debug.enable.ssh: true, and starts the SSH daemon with the attacker's key.Profit: The attacker SSHs into the device. Since the vault was successfully unsealed by the TPM, they have full read/write access to all encrypted secrets, certificates, and application data.
A common rebuttal in security is, "If they have physical access, it's game over anyway." This is wrong. The entire point of TPM-backed Full Disk Encryption (FDE) is to secure data-at-rest even against physical theft. If a thief steals an ATM or a secure edge gateway, they should ideally end up with a pile of encrypted garbage.
CVE-2023-43633 breaks that contract. It allows the device to boot into a fully functional state under the control of the attacker. This allows for:
The remediation involves two critical steps that had to be applied to the codebase:
measurefs) was introduced (commit 5fef4d92e75838cc78010edaed5247dfbdae1889). This calculates a SHA-256 hash of the /config partition and extends it into the TPM PCR.evetpm/tpm.go was updated to include the new measurement.For administrators running EVE OS, the only real fix is to upgrade to version 9.5.0 (or 8.6.0 if you are still on the older branch). If you cannot upgrade, physical security controls (tamper-evident tape, epoxy, locked cabinets) are your only defense against this specific attack vector.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H| Product | Affected Versions | Fixed Version |
|---|---|---|
EVE OS LF-Edge | < 8.6.0 | 8.6.0 |
EVE OS LF-Edge | >= 9.0.0, <= 9.4.x | 9.5.0 |
| Attribute | Detail |
|---|---|
| CWE | CWE-522 (Insufficiently Protected Credentials) |
| CVSS v3.1 | 8.8 (High) |
| Attack Vector | Physical |
| Confidentiality | High (Full Vault Access) |
| Integrity | High (System Compromise) |
| Status | Patched (Regression fixed in 9.5.0) |
An allocation of resources without limits or throttling vulnerability in the Elixir Mint HTTP client library allows malicious HTTP/2 servers to trigger memory exhaustion and application denial of service. The flaw exists because Mint fails to validate server-push concurrency limits during the receipt of PUSH_PROMISE frames, deferring validation to the HEADERS phase. This allows a server to reserve an unlimited number of streams in the client's memory map.
An unsafe execution vulnerability exists in the Bazar form field calculator (CalcField.php) of YesWiki prior to version 4.6.6. The application attempts to validate mathematical formulas using a complex recursive regular expression before passing them to the PHP eval() function. This design leads to both Regular Expression Denial of Service (ReDoS) and Remote Code Execution (RCE) via validation bypass.
An infinite loop vulnerability exists in the pure-Python PDF library pypdf prior to version 6.13.1. When parsing or merging a crafted PDF file containing a cyclic Article/Thread structure, the library fails to exit its traversal loop. This causes the executing thread to hang indefinitely, leading to 100% CPU utilization and a denial of service. The vulnerability is tracked under CVE-2026-54651 and GHSA-g9xf-7f8q-9mcj, with a CVSS base score of 5.5. This technical report provides a root cause analysis, code review, exploitation vectors, and mitigation paths.
The Netty-based HTTP Client in the Micronaut framework fails to enforce a maximum redirect ceiling by default when processing HTTP responses. This permits remote, attacker-controlled servers to trigger continuous, infinite redirect loops. The resulting recursion causes high CPU utilization, thread starvation, and potential memory exhaustion, inducing a Denial of Service (DoS) state in client-side applications.
An information disclosure vulnerability exists in the Micronaut Framework's HTTP client components. The client fails to clear sensitive authorization headers and cookies when following redirects across different origins. If an application using the vulnerable client communicates with an endpoint that issues a redirect to an external host, the client will forward the original credentials, leading to potential token theft and session hijacking.
GHSA-52vm-mxx8-f227 is a dual-vector security flaw in phantom-audio (<= 1.3.0). The vulnerability allows arbitrary file writes due to unconfined Model Context Protocol (MCP) tool paths when the PHANTOM_OUTPUT_DIR environment variable is not defined. Concurrently, the platform lacks validation controls during the decompression of highly compressed audio files, resulting in resource-exhaustion denial of service and downstream parsing vulnerability exposure.