SB2020071308 - Multiple vulnerabilities in tough

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2020-6174)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the affected software does not verify the cryptographic signature for data. A remote attacker can bypass implemented security restrictions.

2) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2020-15093)

The vulnerability allows a remote user to bypass signature threshold verification.

The vulnerability exists due to improper uniqueness verification of cryptographic signatures in signature threshold verification when validating signed metadata. A remote user can provide multiple valid signatures generated with the same signing key to bypass signature threshold verification.

Exploitation requires access to a valid signing key.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

• https://rustsec.org/advisories/RUSTSEC-2020-0024.html
• https://github.com/awslabs/tough/security/advisories/GHSA-5q2r-92f9-4m49
• https://github.com/advisories/GHSA-5q2r-92f9-4m49