CVE-2022-23951 is a medium-severity vulnerability identified in the Keylime software prior to version 6.3.0. Keylime is an open-source remote attestation framework designed to verify the integrity of systems, often used in cloud and edge computing environments. The vulnerability arises from the way Keylime processes quote responses from its agents. Specifically, these responses can include ZIP data that is potentially untrusted. Because the software does not adequately validate or limit this ZIP data, it is susceptible to a zip bomb attack—a type of denial-of-service (DoS) attack where a small compressed file decompresses into an extremely large amount of data, overwhelming system resources. This vulnerability is classified under CWE-400, which pertains to uncontrolled resource consumption. The CVSS v3.1 base score is 5.5, reflecting a medium severity level, with the vector indicating local attack vector (AV:L), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The impact is limited to availability, with no confidentiality or integrity compromise. No known exploits have been reported in the wild, and no official patches are linked, though upgrading to Keylime 6.3.0 or later is implied as a remediation step.

For European organizations utilizing Keylime, particularly those deploying it in cloud infrastructure or edge computing scenarios, this vulnerability poses a risk of denial-of-service conditions. An attacker with local access or the ability to interact with the Keylime agent could craft malicious quote responses containing zip bombs, causing excessive resource consumption and potentially leading to service outages or degraded performance. This can disrupt critical attestation and security monitoring functions, undermining trust in system integrity verification processes. While the vulnerability does not allow data leakage or unauthorized modification, the availability impact could affect operational continuity, especially in environments relying heavily on automated attestation for compliance or security assurance. Organizations in sectors such as finance, healthcare, and critical infrastructure within Europe, which often have stringent uptime and security requirements, may find this particularly concerning.

To mitigate this vulnerability, European organizations should ensure that all Keylime deployments are updated to version 6.3.0 or later, where the issue has been addressed. In addition, organizations should implement strict input validation and resource usage limits on ZIP data processing within their Keylime agents. Monitoring and alerting for unusual resource consumption patterns related to Keylime processes can help detect exploitation attempts early. Network segmentation and access controls should restrict who can interact with Keylime agents to minimize exposure to potentially malicious actors. Furthermore, incorporating sandboxing or running Keylime agent processes with limited privileges can reduce the impact of any resource exhaustion attempts. Finally, organizations should review their incident response plans to include scenarios involving denial-of-service attacks targeting attestation infrastructure.