Skip to content

Configfs path overridable via environment variable enables fake quotes #562

New issue
New issue
Open
Open
Configfs path overridable via environment variable enables fake quotes#562
@pbeza

Description

@pbeza
pbeza
opened on Mar 17, 2026

The TDX quote generation code in dstack/dstack-util/src/tdx_attest.rs reads the configfs-tsm path from an environment variable without validation, allowing an attacker who controls the environment to redirect quote generation to an arbitrary path.

Root Cause

The TDX attestation library reads the DCAP_TDX_QUOTE_CONFIGFS_PATH environment variable to determine where to read/write TDX quote data. If set, this overrides the default configfs path (/sys/kernel/config/tsm/report). A process that can set this environment variable can redirect quote generation to an attacker-controlled filesystem path, serving fabricated TDX quotes.

// linux.rs:331-339
let configfs_path = std::env::var("DCAP_TDX_QUOTE_CONFIGFS_PATH")
    .unwrap_or_else(|_| DEFAULT_CONFIGFS_PATH.to_string());

Attack Path

  1. Attacker compromises a process inside the CVM or controls the process environment
  2. Attacker sets DCAP_TDX_QUOTE_CONFIGFS_PATH to a directory they control (e.g., /tmp/fake-tsm/)
  3. Attacker populates the fake directory with crafted quote data
  4. When the application requests a TDX quote, it reads from the attacker's directory instead of the real configfs
  5. The fabricated quote may contain arbitrary report_data, measurements, or signatures

Impact

Applications using the tdx-attest library can be tricked into using fake TDX quotes. The impact depends on whether the quotes are verified downstream — if they are, the fake quotes will fail signature verification (they won't be signed by Intel's QE). However, in configurations where quote verification is disabled (a related finding, a related finding), fake quotes could be accepted.

Suggested Fix

Ignore the environment variable in production builds:

#[cfg(not(feature = "testing"))]
let configfs_path = DEFAULT_CONFIGFS_PATH.to_string();

#[cfg(feature = "testing")]
let configfs_path = std::env::var("DCAP_TDX_QUOTE_CONFIGFS_PATH")
    .unwrap_or_else(|_| DEFAULT_CONFIGFS_PATH.to_string());

Alternatively, validate that the configfs path points to a real sysfs mount.

Note: This issue was created automatically. The vulnerability report was generated by Claude and has not been verified by a human.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions