SB2020090941 - Insufficient verification of data authenticity in The Update Framework (TUF)

Description

This security bulletin contains information about 1 vulnerability.

1) Insufficient verification of data authenticity (CVE-ID: CVE-2020-15163)

CWE-ID: CWE-345 - Insufficient Verification of Data Authenticity

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to control the trust chain for future updates.

The vulnerability exists due to improper verification of root metadata in the root metadata update workflow when processing multiple new versions of root metadata. A remote attacker can serve crafted root metadata through a man-in-the-middle position to control the trust chain for future updates.

The issue occurs because a previously downloaded root metadata file that failed verification at download time may later become trusted.

Remediation

Install update from vendor's website.

References

• https://github.com/theupdateframework/python-tuf/security/advisories/GHSA-f8mr-jv2c-v8mg
• https://github.com/theupdateframework/tuf/pull/885