You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In section 5.3.1 and section 5.4.1 of the spec, the first part of
verifying a new snapshot, targets, and delegated targets role requires
checking the new role's version number before we've checked that these
new roles were signed by the root role. This exposes TUF clients to
potential parser bugs which allows an attacker to potentially compromise
the system.
For example, consider a man-in-the-middle attacker that has a parser bug
which allows for executing arbitrary code, such as [CVE-2017-18349]. An
attacker could exploit this in a few manners:
1. [POUF-1] inlines the metadata signatures in with the role JSON
metadata file. While snapshot, targets, and delegated targets
can have their hashes listed in trusted metadata (and thus be
validated before parsing), the timestamp role must be parsed in order
to verify it was signed by the trusted root role.
2. TUF-1.0.5 Section 5.3.1 of the workflow states the snapshot should be
verified by hash and version number before checking the signature.
While we could verify the hash before parsing, the spec doesn't state
that the hash should be checked first. It's possible then for a
conformant TUF client to check the version number before hash, which
would expose the client to the parser bug.
3. TUF-1.0.5 Section 4.4 and 5.4.1 make it optional for the snapshot
role to contain the hashes of the targets and any delegated targets
role. If left out, we need to still parse these files to check the
version number before validating the signatures.
This patch addresses (2) and (3) by moving the verification of the
version number to after we've verified a role was properly signed by the
trusted root role. This would enable a future POUF that's addressed (1)
to avoid future parser exploits.
[POUF-1]: https://github.com/theupdateframework/taps/blob/master/POUFs/reference-POUF/pouf1.md
[CVE-2017-18349]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18349
0 commit comments